Craft CMS security scans: upload of over-the-limit file hangs the system; should it throw exception/error?

[mikefats]

Description

We are putting our new Craft CMS 3.2 install (dev environment) through some security scan paces, including uploads of 500Mb files. We'd expect to throw an exception message/error page on an over-the-limit file, but it is not doing that currently (it simply hangs).

When we run these scans against other CMS applications, when the upload is attempted, an error is thrown by the web server and the underlying CMS applications continue to function as they should as do the actual scans. This is not the case when it comes to Craft.

To pass the security scan, we'd like Craft to throw an error, not just 'hang.'

If Craft is hanging or timing out while you’re uploading a large file, or if you get the error message “The uploaded file is empty”, you’re probably running into a limitation imposed by your server’s configuration. https://craftcms.com/guides/troubleshooting-unsuccessful-file-uploads

Our PHP Info:
memory_limit 512M;
upload_max_filesize 256M

Steps to reproduce

1. upload a 500Mb file
2. Craft CMS 'hangs'

Additional info

• Craft version: 3.3.15
• PHP version: 7.2.19
• Database driver & version: MySQL 5.7.27
• Plugins & versions:
  Element API | 2.6.0
  Field Manager | 2.1.0
  Redactor | 2.4.0

[brandonkelly]

Go to Utilities → PHP Info. What is your upload_max_filesize setting set to?

[mikefats]

upload_max_filesize is set to 256M

[angrybrad]

I'm not able to reproduce this on a fresh install.

php.ini memory_limit is set to 512M, upload_max_filesize is set to 256M and Craft's maxUploadFilesize is set to the default 16M.

When I try to upload a 512M file, I get a JavaScript alert in the CP saying

The file “512MB.zip” could not be uploaded, because it exceeds the maximum upload size of 16.0 MB.

If I bump maxUploadFilesize to 512M, and try the same thing, I get:

The file “512MB.zip” could not be uploaded, because it exceeds the maximum upload size of 256.0 MB.

Because it's now hitting the php.ini file's upload_max_filesize limit of 256M.

[angrybrad]

Are you getting any JS errors in your console when this happens? Depending on if you're running nginx/Apache/IIS, you could be hitting some web server limitations: https://craftcms.stackexchange.com/a/2330/57

[mikefats]

Thank you for following up Brad. The security team on our campus actually used some App Spider scan app that flagged the issue, so I'm asking them for details about exactly what steps were taken/executed, and once I find out I will fill you in. And you're right: when I do an upload through the admin interface, anything larger than 16MB is caught and stopped – works as expected.

Are you getting any JS errors in your console when this happens?

Depending on if you're running nginx/Apache/IIS, you could be hitting some web server limitations: https://craftcms.stackexchange.com/a/2330/57 I was informed that we're not getting a '413' error, but a '500' one. Thanks again,

…

On Thu, Jan 2, 2020 at 2:37 PM Brad Bell ***@***.***> wrote: Are you getting any JS errors in your console when this happens? Depending on if you're running nginx/Apache/IIS, you could be hitting some web server limitations: https://craftcms.stackexchange.com/a/2330/57 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5278?email_source=notifications&email_token=AAKVVYLFV57GYCLUBVKKPILQ3ZNCZA5CNFSM4JSNYRT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEH7P7QI#issuecomment-570359745>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKVVYLUY4VW2A2HM7LGBTLQ3ZNCZANCNFSM4JSNYRTQ> .