3

I am using Apache Thrift to move small base64 encoded files to a PHP backend (with Apache web server). It is essentially just an HTTP POST request with large amounts of raw body data. I want to limit how much data can be POSTed so that I don't even attempt to process files larger than my target (I will also have a small memory_limit). To test this I set in php.ini:

post_max_size=1K

I then confirmed that my setting was correctly picked up by running phpinfo().

However, when POSTing roughly 12K of raw textual data to my server I can still get the full contents using

file_get_contents("php://input");

My understanding is that PHP will simply strip out the data if post_max_size is exceeded instead of throwing an error or exception. Through searching how post_max_size works, information always seems to relate to file uploads rather than a raw post body. Is the post_max_size ini setting not actually looking at the raw size of post requests in addition to posted file upload data? Why when my post_max_size is exceeded do I still get everything that was posted? How can I prevent serving a request or handling large data if the POST raw body data size exceeds my limit? Any help is greatly appreciated.

Luke Cordingley
  • 665
  • 4
  • 11
  • 1
    Limit the max request body size in/with the webserver. https://www.cyberciti.biz/faq/apache-limiting-upload-size/ – Charlotte Dunois Jan 11 '18 at 21:44
  • 1
    The post_max_size does not limit the request body from the php://input. This config means, that a post body larger than 1K will not be preprocessed and assigned to $_POST (so $_POST should be empty). What you need is the [`LimitRequestBody`](http://httpd.apache.org/docs/2.0/mod/core.html#limitrequestbody) directive from apache2 itself. – Markus Jan 11 '18 at 22:33

0 Answers0