Description: ------------ Consider the following configuration: - Your INI only accepts 40MB - You set maxfilesize of a QF file element to 35MB - Somebody uploads a file that is 60MB. The form will validate because effectively the filesize of the temp file is 0 (it's not there). This is unexpected behaviour. This patch will check to see if the filesize does not exceed the INI max value or the hidden form variable MAX_FILE_SIZE. If it does exceed one of these, it will return false. The patched method uses constants available from PHP 4.3.0, but they can be replaced by integers (1 and 2, see: http://nl3.php.net/manual/en/features.file-upload.errors.php) Jeroen Reproduce code: --------------- Path: --- file.old.php Tue May 25 13:35:22 2004 +++ file.php Tue May 25 13:34:51 2004 @@ -253,6 +253,10 @@ */ function _ruleCheckMaxFileSize($elementValue, $maxSize) { + if (@$elementValue['error'] == UPLOAD_ERR_INI_SIZE || @$elementValue['error'] == UPLOAD_ERR_FORM_SIZE) { + // File was bigger than allowed by INI and/or FORM + return false; + } if (!HTML_QuickForm_file::_ruleIsUploadedFile($elementValue)) { return true; } Expected result: ---------------- false. Form should not validate if a file bigger than maxfilesize was uploaded Actual result: -------------- true. Because the upload never actually gets there thus the filesize is below the max allowed filesize (namely 0) This in my opinion unexpected behaviour. If you upload a file bigger than what the maxfilesize rule was set to, the form should not validate. Regardless of any INI settings.