Increasing Upload Limits and Security...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Increasing Upload Limits and Security...

Post by seodevhead »

I have some scripts on a new website that allow people to upload photos. These days, photos are so large, these upload scripts absolutely LAUGH at php's default 2MB upload_max_filesize limit.

It is not out of the ordinary for people to want to upload 100-200mb of photos with each post in my scripts. I know I can allow this by putting the following in each .htaccess for each script's directory:

php_value max_execution_time 200
php_value upload_max_filesize 175M
php_value post_max_size 200M
php_value memory_limit 100M

So my question is:

Is this acceptable? Is it acceptable on the security front? And is it acceptable on the performance front? What is one to do in a situation like mine where I want my users to be able to upload 5-10 full resolution photos?

NOTE: Due to time constraints... I cannot utilize FTP do upload these photos. I need to stick with php's built-in file uploading $_FILE method. Thanks for your help.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Increasing Upload Limits and Security...

Post by Mordred »

Wow, that's a lot of porn!

It definitely puts strain on your server. I'm not sure of the security implications, apart from the usual ones related to file uploads (in short: make sure they won't upload PHPs :)
Set this up on a lab machine (try a virtual appliance with ram and CPU limits similar to your hosting) and write some curl scripts to upload huge files and see for yourself how long it will take to bring it down.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Increasing Upload Limits and Security...

Post by kaisellgren »

175 MB max upload filesize? Why? I mean... the biggest JPEG picture that I can find from my family photoalbum is around 5 MB in size. How can anyone ever reach that size if you are only accepting photos? From what I understand, that is the limit for a single file, not all files combined together what you might be thinking? For example, most picture hosts allow sizes around 1-4 MB per file... what you are doing is that you allow sizes of 175 MB per picture ? :/

Your settings a kind of suck, really. Look at the max execution time = 200 seconds.

Well, in my country, I have pretty fast Internet connection. My download rate is around 1000 kBps, and upload rate is 100 kBps. Let's do some calculations.

100 kB * 200 = 20 000 kB, or 20 MB. What if the user has a 256k DSL? He is able to barely upload a file of at most 5 MB. Remember, we are talking about theoretical limits here. If the uploader is surfing the Internet or uploading something else at the same moment, his upload rate will go down even more - aka takes longer to upload.

My suggestions: lower your max filesize a lot and put the execution time higher.
Post Reply