#2411 closed Defect (fixed)
Actions will not be executed when post_max_size is exceeded.
| Reported by: | aszepeshazi | Owned by: | mrclay |
|---|---|---|---|
| Priority: | high | Milestone: | Elgg 1.8.6 |
| Component: | Core | Version: | 1.7 |
| Severity: | minor | Keywords: | post_max_size, exceeded, actions |
| Cc: | brettp | Difficulty: | moderate |
Description (last modified by brettp)
When a http post request was made with a total size > php post_max_size, the called action doesn't have a chance to handle this exception gracefully. Instead the core action handler will redirect the user and display the message "Form is missing token or ts fields", which is rather confusing for the end user.
The reason for this is, quoting from php manual: "If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty." Meaning also no elgg_token and elgg_ts values.
Plugins should have the possibility to gracefully handle this event.
Change History (22)
comment:1 Changed 3 years ago by cash
- Difficulty set to moderate
- Milestone set to Elgg 1.8
comment:2 Changed 3 years ago by brettp
comment:3 Changed 2 years ago by ewinslow
- Resolution set to fixed
- Status changed from new to closed
#2237 takes care of this?
comment:4 Changed 2 years ago by cash
- Milestone changed from Elgg 1.8 to Elgg 1.8.1
- Resolution fixed deleted
- Status changed from closed to reopened
We still need to add code to handle this condition and display a useful message to the user
comment:5 Changed 23 months ago by cash
- Priority changed from normal to high
comment:6 Changed 16 months ago by cash
- Status changed from reopened to new
comment:7 Changed 16 months ago by cash
- Milestone changed from Elgg 1.8.x to Elgg 1.8.5
comment:8 Changed 13 months ago by mrclay
- Owner set to mrclay
- Status changed from new to assigned
I suggest this check occur in validate_action_token on this line. Something like:
if ($_SERVER['REQUEST_METHOD'] === 'POST' && empty($_POST) && $_SERVER['CONTENT_LENGTH'] > 500) {
// @todo trigger a plugin hook here?
register_error(elgg_echo('actiongatekeeper:exceededpostlimit'));
} else {
register_error(elgg_echo('actiongatekeeper:missingfields'));
}
comment:9 follow-up: ↓ 10 Changed 13 months ago by brettp
- Description modified (diff)
Why not use ini_get('post_max_size') instead of 500?
comment:10 in reply to: ↑ 9 Changed 13 months ago by mrclay
Replying to brettp:
Why not use ini_get('post_max_size') instead of 500?
True, although if CONTENT_LENGTH > 0, there should be something in POST/FILES, so maybe a limit check isn't required.
Does Elgg already have a function to turn "15M"/etc into ints?
Should we assume all uploads will go through the action system? I.e. should this check be done during bootup and set some kind of global flag?
comment:11 Changed 13 months ago by brettp
True, although if CONTENT_LENGTH > 0, there should be something in POST/FILES, so maybe a limit check isn't required.
AFAIK, CONTENT_LENGTH is only sent with POST, so that's true. Will need to confirm that.
Does Elgg already have a function to turn "15M"/etc into ints?
elgg_get_ini_setting_in_bytes()
Should we assume all uploads will go through the action system? I.e. should this check be done during bootup and set some kind of global flag?
If uploads aren't going through the action system I think the plugin should be expected to handle errors itself.
comment:12 Changed 13 months ago by brettp
@mrclay - Were you working on this as a PR or just the code you have in the comments?
comment:13 Changed 13 months ago by mrclay
I haven't started work on it. I should have time to send a PR this weekend.
comment:14 Changed 13 months ago by brettp
np and thanks. Throw it back over to unassigned if you don't have time.
comment:15 Changed 12 months ago by mrclay
PR: https://github.com/Elgg/Elgg/pull/222
Let me know if I need to re-apply against master.
comment:16 Changed 12 months ago by ewinslow
No, this counts as a bug fix and so can go into 1.8.x, as the milestone reflects.
comment:17 Changed 12 months ago by Steve Clay
- Resolution set to fixed
- Status changed from assigned to closed
Fixes #2411: Show message when upload exceeds PHP limits, and show limits in Server Info
Changeset: 7c0215018897bfb578e6116ef9d36e5edc1fe5cf
comment:18 Changed 12 months ago by Cash Costello
Merge pull request #222 from mrclay/issue2411
Fixes #2411: Show message when upload exceeds PHP limits
Changeset: 4abe9e6727108efd1f834a80a7942ed92cae2a52
comment:19 Changed 12 months ago by Cash Costello
Refs #2411 removed <code> in warning as it was causing a display issue in server info table
Changeset: b43e6c7d5550aef3d319148de37fa49cadc33855
comment:20 Changed 11 months ago by Steve Clay
Fixes #2411: Show message when upload exceeds PHP limits, and show limits in Server Info
Changeset: 7c0215018897bfb578e6116ef9d36e5edc1fe5cf
comment:21 Changed 11 months ago by Cash Costello
Merge pull request #222 from mrclay/issue2411
Fixes #2411: Show message when upload exceeds PHP limits
Changeset: 4abe9e6727108efd1f834a80a7942ed92cae2a52
comment:22 Changed 11 months ago by Cash Costello
Refs #2411 removed <code> in warning as it was causing a display issue in server info table
Changeset: b43e6c7d5550aef3d319148de37fa49cadc33855
Rels #2602 - Add a plugin hook when action tokens fail.