php tmp files alrger than upload_max

[GOT]

We've got a server with Litespeed on it. Running php 5.6 with post_max and upload_max set to 100M each.

We are finding files called phpXXXXXX in /tmp that are much larger than 100M, causing tmp to fill up.

Any thoughts on how these are getting uplaoded? Its someone trying to screw with us because they are png files from google earth.

We've put a process in place to delete them after two minutes, but would like to understand how they are getting uploaded in excess of the php limits.

 

[NiteWave]

I did upload tests on both apache and lsws. looks same behavior.

it looks like upload_max is checked only after upload already completed.

and I did tests on a CentOS 7, and can't find it ( by ls -al /tmp) during upload. although it indeed upload tmp_name is /tmp/phpXXXXX
I did similar tests before, when CentOS 7 not out yet. and I could see those /tmp/phpXXXX files during upload.

while this is more likely an php issue, really bad for such attack., not sure if there is good solution there.

at web server's side, there's limit for request body size.
apache: LimitRequestBody (http://httpd.apache.org/docs/2.0/mod/core.html#limitrequestbody)
lsws: web admin->Server->Tuning->Max Request Body Size (bytes) , default is 500M

not sure if the limit can prevent bad upload in real-time.

 

[GOT]

Interesting. We are not running in apache config mode, does Litespeed have a specific setting for this as well?

 

[Pong]

It is PHP limit issue, not LSWS related.

upload_max_filesize is normally defined in php.ini, but it can be overridden by other places:

such as in .htaccess (php_value upload_max_filesize 100M)
or PHP code @ini_set('upload_max_size' , '100M' );

Make sure it is not be overridden to a large limit somewhere else.
https://www.hostinger.com/tutorials...d-max-filesize-directive-in-php-ini-wordpress

 

[NiteWave]

Interesting. We are not running in apache config mode, does Litespeed have a specific setting for this as well?

already replied in same post:

lsws: web admin->Server->Tuning->Max Request Body Size (bytes) , default is 500M

you can set it to 100M, then you'll never see

We are finding files called phpXXXXXX in /tmp that are much larger than 100M

(for test purpose, you can set it to 8M, to see if any /tmp/phpXXXX will exceed 8M)

when you upload in Chrome, will see
ERR_CONNECTION_RESET

and in web server's error_log, will see such entry

2019-01-28 07:54:32.435919 [NOTICE] [1.2.3.4:53744] Request body size: 177739309 is too big!

per my tests, only this setting will prevent illegal upload immediately.

any php settings like
upload_max_filesize
post_max_size
(http://www.php.net/manual/en/ini.list.php)
will take effect, however, it's after the upload has completed.

mod_sec rule will take effect too, for example, this one https://serverfault.com/questions/5...aded-file-with-limitrequestbody-and-proxypass

# Enable request processing
SecRuleEngine On
# enable inspection of request bodies
SecRequestBodyAccess On
# set actual request size limit
SecRequestBodyLimit 3000000
# actually generate an HTTP error, instead of truncating
SecRequestBodyLimitAction Reject
# Avoid big request bodies that do not try to upload files
SecRequestBodyNoFilesLimit 1048576
# tune memory usage
SecRequestBodyInMemoryLimit 131072

tested it on apache 2.4, but this can't prevent upload complete too.
only after upload completed, will return "HTTP/1.1 413 Request Entity Too Large" to browser
(but failed to test above rule on lsws 5.3.5 at the time being)