Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 3.2.13

Bug #2203 The _ruleCheckMaxFileSize() method does not check for upload errors
Submitted: 2004-08-24 05:05 UTC Modified: 2006-12-26 22:41 UTC
From: jeroen at terena dot nl Assigned: avb
Status: Closed Package: HTML_QuickForm
PHP Version: Irrelevant OS: *
Roadmaps: (Not assigned)    
Subscription  


 [2004-08-24 05:05 UTC] jeroen at terena dot nl
Description: ------------ Consider the following configuration: - Your INI only accepts 40MB - You set maxfilesize of a QF file element to 35MB - Somebody uploads a file that is 60MB. The form will validate because effectively the filesize of the temp file is 0 (it's not there). This is unexpected behaviour. This patch will check to see if the filesize does not exceed the INI max value or the hidden form variable MAX_FILE_SIZE. If it does exceed one of these, it will return false. The patched method uses constants available from PHP 4.3.0, but they can be replaced by integers (1 and 2, see: http://nl3.php.net/manual/en/features.file-upload.errors.php) Jeroen Reproduce code: --------------- Path: --- file.old.php Tue May 25 13:35:22 2004 +++ file.php Tue May 25 13:34:51 2004 @@ -253,6 +253,10 @@ */ function _ruleCheckMaxFileSize($elementValue, $maxSize) { + if (@$elementValue['error'] == UPLOAD_ERR_INI_SIZE || @$elementValue['error'] == UPLOAD_ERR_FORM_SIZE) { + // File was bigger than allowed by INI and/or FORM + return false; + } if (!HTML_QuickForm_file::_ruleIsUploadedFile($elementValue)) { return true; } Expected result: ---------------- false. Form should not validate if a file bigger than maxfilesize was uploaded Actual result: -------------- true. Because the upload never actually gets there thus the filesize is below the max allowed filesize (namely 0) This in my opinion unexpected behaviour. If you upload a file bigger than what the maxfilesize rule was set to, the form should not validate. Regardless of any INI settings.

Comments

 [2004-10-09 14:34 UTC] avb
This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better.