Debian Bug report logs - #685383
PHP cannot handle uploads bigger than 2GB

version graph

Package: php5; Maintainer for php5 is (unknown);

Reported by: Vasil Kolev <vasil@ludost.net>

Date: Mon, 20 Aug 2012 11:33:04 UTC

Severity: normal

Tags: lfs, patch, upstream

Fixed in version 5.6.0~alpha1+dfsg-1

Done: Lior Kaplan <kaplan@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.php.net/bug.php?id=44522

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#685383; Package php5. (Mon, 20 Aug 2012 11:33:07 GMT) (full text, mbox, link).

Acknowledgement sent to Vasil Kolev <vasil@ludost.net>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 20 Aug 2012 11:33:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vasil Kolev <vasil@ludost.net>
To: submit@bugs.debian.org
Subject: PHP cannot handle uploads bigger than 2GB
Date: Mon, 20 Aug 2012 14:23:16 +0300
[Message part 1 (text/plain, inline)]
Package: php5
Version: 5.3.3-7+squeeze14
Tags: patch, upstream, lfs

PHP doesn't support uploads of files bigger than 2GB. It's a known bug
in upstream - https://bugs.php.net/bug.php?id=44522 - but the fix still
isn't in and there doesn't seem to be any answer.

Right now I'm running with the patch from above, tweaked a bit to apply
to the PHP in squeeze, which I'm attaching. A part of it (the conversion
from atoi() to atol() ) is already included in the php5 package in
testing (version 5.4.4-4) but the rest doesn't seem to be there. The
patch is kludgy and I'd agree to fix it up a bit if there's the
possibility to be accepted.

This is reproducible with setting in php.ini the upload_max_filesize to
something more than 2GB, post_max_size to the same value, having the
following code in a php file:

<?
if (!move_uploaded_file($file['tmp_name'], "/tmp/testfile")) {
	echo "doesn't work";
} else {
	echo "works";

}
@unlink("/tmp/testfile");
?>

And running from somewhere 

dd if=/dev/zero of=bigf bs=1M count=4099
curl -F file=@bigf  'http://some.server.addr/upload.php'

(fixing the url to reflect the position of the php file)

As for the reason for this, a lot of sites (including mine) actually
need this kind of upload, as there's no good way to push files to it
otherwise (I've seen suggestions to use FTP) that the users can easily
use. With the proliferation of big video files, there's a lot of stuff
people want to upload which goes above these limits.


-- 
Regards,
Vasil Kolev

[php.64bit.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#685383; Package php5. (Thu, 23 Aug 2012 07:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 23 Aug 2012 07:24:03 GMT) (full text, mbox, link).

Message #10 received at 685383@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>
To: Vasil Kolev <vasil@ludost.net>, 685383@bugs.debian.org
Subject: Re: [php-maint] Bug#685383: PHP cannot handle uploads bigger than 2GB
Date: Thu, 23 Aug 2012 09:20:58 +0200
Hi Vasil,

I don't think the patch is correct as is, there are still places where
there is a mix of uints and longs, which needs to be corrected.  Also
it's quite late to include patch which changes data structures with
unknown impact, also see Stas's comment:

> [2012-02-23 19:14 UTC] stas@php.net
> It's probably too late for 5.4, but would be OK for trunk. The patch however
> needs to be cleaned up (no IGNORE vars, etc.) and changing signature for
> zend_atoi may not be safe if any code out there presumes it returns int (integer
> overflow). Also, no reason to use signed long there where we used unsigned long.

Thus I am not going to include it in wheezy.

O.

On Mon, Aug 20, 2012 at 1:23 PM, Vasil Kolev <vasil@ludost.net> wrote:
> Package: php5
> Version: 5.3.3-7+squeeze14
> Tags: patch, upstream, lfs
>
> PHP doesn't support uploads of files bigger than 2GB. It's a known bug
> in upstream - https://bugs.php.net/bug.php?id=44522 - but the fix still
> isn't in and there doesn't seem to be any answer.
>
> Right now I'm running with the patch from above, tweaked a bit to apply
> to the PHP in squeeze, which I'm attaching. A part of it (the conversion
> from atoi() to atol() ) is already included in the php5 package in
> testing (version 5.4.4-4) but the rest doesn't seem to be there. The
> patch is kludgy and I'd agree to fix it up a bit if there's the
> possibility to be accepted.
>
> This is reproducible with setting in php.ini the upload_max_filesize to
> something more than 2GB, post_max_size to the same value, having the
> following code in a php file:
>
> <?
> if (!move_uploaded_file($file['tmp_name'], "/tmp/testfile")) {
>         echo "doesn't work";
> } else {
>         echo "works";
>
> }
> @unlink("/tmp/testfile");
> ?>
>
> And running from somewhere
>
> dd if=/dev/zero of=bigf bs=1M count=4099
> curl -F file=@bigf  'http://some.server.addr/upload.php'
>
> (fixing the url to reflect the position of the php file)
>
> As for the reason for this, a lot of sites (including mine) actually
> need this kind of upload, as there's no good way to push files to it
> otherwise (I've seen suggestions to use FTP) that the users can easily
> use. With the proliferation of big video files, there's a lot of stuff
> people want to upload which goes above these limits.
>
>
> --
> Regards,
> Vasil Kolev
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej@sury.org>

Set Bug forwarded-to-address to 'https://bugs.php.net/bug.php?id=44522'. Request was from Lior Kaplan <kaplan@debian.org> to control@bugs.debian.org. (Sat, 28 Sep 2013 18:18:12 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Lior Kaplan <kaplan@debian.org> to control@bugs.debian.org. (Sat, 28 Sep 2013 18:18:13 GMT) (full text, mbox, link).

Reply sent to Lior Kaplan <kaplan@debian.org>:
You have taken responsibility. (Fri, 07 Feb 2014 23:42:08 GMT) (full text, mbox, link).

Notification sent to Vasil Kolev <vasil@ludost.net>:
Bug acknowledged by developer. (Fri, 07 Feb 2014 23:42:08 GMT) (full text, mbox, link).

Message #19 received at 685383-done@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplan@debian.org>
To: 685383-done@bugs.debian.org
Subject: Fixed
Date: Sat, 8 Feb 2014 01:39:09 +0200
[Message part 1 (text/plain, inline)]
Version: 5.6.0~alpha1+dfsg-1

The fix to this bug is part of PHP 5.6 which got uploaded to experimental.
closing with the right version.

Kaplan

[Message part 2 (text/html, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 14 Mar 2014 07:33:45 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:38:10 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.