Description: ------------ Consider the following configuration: - Your INI only accepts 40MB - You set maxfilesize of a QF file element to 35MB - Somebody uploads a file that is 60MB. The form will validate because effectively the filesize of the temp file is 0 (it's not there). This is unexpected behaviour. This patch will check to see if the filesize does not exceed the INI max value or the hidden form variable MAX_FILE_SIZE. If it does exceed one of these, it will return false. The patched method uses constants available from PHP 4.3.0, but they can be replaced by integers (1 and 2, see: http://nl3.php.net/manual/en/features.file-upload.errors.php) Jeroen Reproduce code: --------------- Path: --- file.old.php Tue May 25 13:35:22 2004 +++ file.php Tue May 25 13:34:51 2004 @@ -253,6 +253,10 @@ */ function _ruleCheckMaxFileSize($elementValue, $maxSize) { + if (@$elementValue['error'] == UPLOAD_ERR_INI_SIZE || @$elementValue['error'] == UPLOAD_ERR_FORM_SIZE) { + // File was bigger than allowed by INI and/or FORM + return false; + } if (!HTML_QuickForm_file::_ruleIsUploadedFile($elementValue)) { return true; } Expected result: ---------------- false. Form should not validate if a file bigger than maxfilesize was uploaded Actual result: -------------- true. Because the upload never actually gets there thus the filesize is below the max allowed filesize (namely 0) This in my opinion unexpected behaviour. If you upload a file bigger than what the maxfilesize rule was set to, the form should not validate. Regardless of any INI settings.

This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better.