Skip to content
Permalink
Browse files Browse the repository at this point in the history
Limit $_POST array size to a maximum of 16MB
  • Loading branch information
francoisjacquet committed Aug 5, 2022
1 parent acb4b27 commit 4022954
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGES.md
Expand Up @@ -94,6 +94,7 @@ Changes in 10.0
- MySQL use LONGTEXT type for textarea field in Fields.fnc.php & DisciplineForm.php
- SQL Check requested assignment belongs to teacher in Assignments.php
- CSS fix responsive when really long string with no space in stylesheet.css
- Limit `$_POST` array size to a maximum of 16MB in Warehouse.php

Changes in 9.3.1
----------------
Expand Down
44 changes: 44 additions & 0 deletions Warehouse.php
Expand Up @@ -286,6 +286,50 @@ function array_rwalk( &$array, $function )
}
}

/**
* Limit $_POST array size to a maximum of 16MB
*
* $_POST array size is limited by PHP post_max_size configuration option
* But this includes $_FILES as well & post_max_size must be greater than upload_max_filesize
* One may want to be able to upload a 100MB file, but may not want the $_POST var,
* with for example the text or HTML of a textarea to be 100MB and later stored in database.
*/
if ( ! defined( 'ROSARIO_POST_MAX_SIZE_LIMIT' ) )
{
/**
* Fix a limit of 16MB based on MySQL max_allowed_packet default limit
* Limit size can be overriden in the config.inc.php file
*/
define( 'ROSARIO_POST_MAX_SIZE_LIMIT', 16 * 1024 * 1024 ); // 16MB in bytes.
}

if ( $_POST
&& strlen( serialize( $_POST ) ) > ROSARIO_POST_MAX_SIZE_LIMIT )
{
$post_max_size_limit = function( $value ) {
if ( strlen( $value ) > ( ROSARIO_POST_MAX_SIZE_LIMIT / 4 ) )
{
// Reset value > limit / 4, or else we would send it in the HackingLog email!
return 'ROSARIO_POST_MAX_SIZE_LIMIT / 4 reached.';
}

return $value;
};

array_rwalk( $_POST, $post_max_size_limit );

array_rwalk( $_REQUEST, $post_max_size_limit );

require_once 'ProgramFunctions/HackingLog.fnc.php';

// Do not translate.
$error[] = 'You are submitting too much data: over the ' .
( ROSARIO_POST_MAX_SIZE_LIMIT / 1024 / 1024 ) .
'M limit. Try reducing the data you are submitting.';

HackingLog();
}

/**
* Sanitize $_REQUEST array
* ($_POST + $_GET)
Expand Down

0 comments on commit 4022954

Please sign in to comment.