PHWinfo - Afficher un message - Re: [PHP] MAX_FILE_SIZE not working with file uploads

23/09/2007, 02h39

> -----Original Message-----
> From: Ray [mailto:ray@stilltech.net]
> Sent: 23 September 2007 02:25
> To: php-general@lists.php.net
> Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
>
> On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> > Dan Parry wrote:
> > > I might be wrong but this would be classed as
> > > 'exploitable'... Webservers should not be allowed
> > > to read from or write to clients... Of course there
> > > is ActiveX...
> >
> > I think we're off the point.
> >
> > My script is simply interrogating the value of the
> > $_FILES[userfile][size] array element. It's coming up as ZERO if it
> > exceeds the MAX_FILE_SIZE.
>
> Exactly, no valid file was uploaded. The size of the valid file is
> therefore
> zero.
>
> > That seems odd to me.
> > But maybe that's
> > the way it's SUPPOSED to work. That's why I started this thread out
> > with "What am I missing?".
> >
> > Said another way:
> >
> > It seems that the server had to know the size of the file in order
> > to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> > size?
>
> Can you use Javascript to check file size client side, send data via
> AJAX then
> issue warnings

This would be the exploitable 'feature' I mentioned... Client-side files
should never be readable

Dan

23/09/2007, 02h39	#6
Dan Parry Messages: n/a Hébergeur:	RE: [PHP] MAX_FILE_SIZE not working with file uploads > -----Original Message----- > From: Ray [mailto:ray@stilltech.net] > Sent: 23 September 2007 02:25 > To: php-general@lists.php.net > Subject: Re: [php] MAX_FILE_SIZE not working with file uploads > > On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote: > > Dan Parry wrote: > > > I might be wrong but this would be classed as > > > 'exploitable'... Webservers should not be allowed > > > to read from or write to clients... Of course there > > > is ActiveX... > > > > I think we're off the point. > > > > My script is simply interrogating the value of the > > $_FILES[userfile][size] array element. It's coming up as ZERO if it > > exceeds the MAX_FILE_SIZE. > > Exactly, no valid file was uploaded. The size of the valid file is > therefore > zero. > > > That seems odd to me. > > But maybe that's > > the way it's SUPPOSED to work. That's why I started this thread out > > with "What am I missing?". > > > > Said another way: > > > > It seems that the server had to know the size of the file in order > > to know it exceeded MAX_FILE_SIZE. So how can my script find out the > > size? > > Can you use Javascript to check file size client side, send data via > AJAX then > issue warnings This would be the exploitable 'feature' I mentioned... Client-side files should never be readable Dan