Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Increase Post_Max_Size Security Risks? Rate Topic   - - - - -

 
  • katart
  • Junior Member
  • Members
  • Join Date: 26-Jul 10
  • 26 posts

Posted 20 January 2016 - 07:10 PM #1

I need to increase the maximum upload size to 50MB. In the php.ini file, I changed the `upload_max_filesize` from 8M to 50M but that didn't fix the problem. I'm still getting the following error:

 

Error File is too large. Max uploading size is 8M

 

I assume I have to modify the `post_max_size` from 8M to 50M but I was told by the server administrator that increasing the `post_max_size` can be a security risk.

 

Does increasing `post_max_size` create a security risk? If so, can I increase the upload limit without increasing the `post_max_size`?

 

Thanks



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11363 posts

Posted 20 January 2016 - 09:36 PM #2

It can be a risk for a conscious attack.  I.e. flooding your server with extremely large post requests.

But if you need large data, then you have no other choice.

 

Since the data is posted, you will bump up against that limit.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • katart
  • Junior Member
  • Members
  • Join Date: 26-Jul 10
  • 26 posts

Posted 21 January 2016 - 02:25 PM #3

Thanks for the response. Can the software be coded to only use `upload_max_filesize` and NOT use `post_max_size`? Essentially uploading files using an upload function and not a POST function.

 

Does that make sense?



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11363 posts

Posted 21 January 2016 - 06:06 PM #4

Doesn't make sense to me. The data would always be POSTed unless you uploaded a file to the server and then modified things to reference that file versus uploading it through HTTP.

 

Many people change the default PHP parameters to account for the extenuating needs.  I don't think it's any more of a security risk than the current limits unless you don't have the physical memory to back it up.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.