Le 10/09/2022 à 11:31, Yasuo Ohgaki a écrit :
2022年9月7日(水) 22:58 Misha <misha...@gmail.com>:
I can understand the motivation, but I am against the change.
To increase uploaded file max size, POST max size must be increased too.
For 99.99% entry points do not need 50MB POST max size.
and larger POST max size increases DoS risks.
Default upload file max size and POST max size should be small enough value
for better security.
IMHO, PHP script that handles large POST data should increase these
settings.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
Hello,
Where I work we use a client side component that split files, send them
chunked, handle progress, resuming etc... along with a server side PHP
component. This method was originally developed for three reasons: allow
huge file uploads (videos), give the user a progress bar, and more
importantly, be able to bypass POST max size restrictions in production
environments we cannot configure because they're managed by a remote
external admin team.
My point is, I don't care about default limit remaining 2MB personally
because we mostly work on products in which chunking files is the
default. Anyway you also will have limit set at the HTTPd level as well
if you want to be able to use it fully (in my original case the most
limiting layer in the HTTP stack was Nginx at the time) having every
layer in your stack working nicely together regarding POST size is not
something you will always have in production environment that you don't
fully manage yourself.
I think that raising the limit to something between 10MB and 20MB is
something reasonable so that people like me in the future won't be
forced to develop a client side file chunker for most use (phone photos,
some PDF files, etc... most commonly), but raising higher may be a
security issue. My phone takes 4k pics andthey site between 4MB and
10MB, I think that the default limit doesn't have to be much more than
this. As soon as you want to let your users upload bigger files, relying
on a single HTTP POST seems dangerous for all of ergonomics, security
and performance.
Regards,
--
Pierre
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
