PHP Security in DOM Forms and Gauges

Question

PHP Security in DOM Forms and Gauges

I had an interesting discussion with a PHP security colleague.

Say a person has a PHP site that works with a standard HTML form. The attacker decides to use the Chrome developer tools and add to the DOM enctype="multipart/form-data"and file input.

An attacker is downloading a file, it probably will not be executed if it is a virus, but it still uses the bandwidth / storage for this moment. Will the file go to the PHP directory /tmpjust by doing this? Won't this make any form any that is unsafe, since the user can upload the file in any form?

On a larger scale, if 100,000 people added this to the DOM and uploaded a random gigabyte file? Wouldn't that affect their bandwidth and / or memory?

+5

php

Jream Apr 11 '13 at 13:22

source share

1 answer

CBroe · Accepted Answer · 2013-04-11T13:31:52+0000

Download occurs, no matter what. The file is stored in the temp upload temp directory, and then the PHP script is run. If the script does not process the downloaded file, the file is automatically deleted from the temp directory after the script completes.

Whether the server will interrupt the request when the maximum size is exceeded is a configuration issue.

PHP Security in DOM Forms and Gauges

More articles: