大型POST传输仅适用于已登录的用户？

Question

On my homepage, users that are "logged in" (via a PHP-session), should be allowed to upload very large files (via standard HTML5/PHP/XMLHttpRequest/POST-formular). Therefore, I set 'post_max_size' to 0 in order to remove any restriction on the file size.

However, I want to avoid that now everybody can send arbitrary large POST data to my server and block it. I want to first validate the login, and then accept a very large POST transfer to start.

How to achieve this?

Answer 1

Inspired by the comments of Jari, I implemented the following strategy, which works fine for me. Since I use HTTPS for the website and the file upload, this strategy is even save against network sniffing attacks.

My website is based on php, where logged-in users retrieve a php-session(-id).

php.ini has the default value of post_max_size = 8M back, so no large POST-transfers are accepted by my server in general.

When logging in, I set a temporary cookie secret=XXXXXXXX at the client, where the X's represent a random string that is also saved on server-side in $_SESSION["secret"] .

On the server-side, I create a web-accessible "user-directory" tmp-YYYYYYYY for each session, where the Y's are just another random string. In this directory, I put a symlink that points to my global upload.php -script that receives the file-uploads via POST from the upload-form (you could also just copy upload.php to the user-directory). Now, in order to allow that a POST-transfer to tmp-YYYYYYYY/upload.php may have unlimited size, I also create the file tmp-YYYYYYYY/.htaccess which contains the line php_value post_max_size 0 . This enables to pass unlimited size POST-data to the linked upload-script. However, this is unsecure in the sense that everybody who knows/sniffes the URL tmp-YYYYYYYY/upload.php is able to send arbitrary large POST-data to this file, which may flood the server's tmp-directory. In order to avoid this, my full .htaccess -file looks like this:

RewriteEngine On
RewriteCond %{HTTP_COOKIE} !secret=XXXXXXXX;?
RewriteRule ^ https://www.myserver.com/secreterror.php [L]
php_value post_max_size 0

That is, whenever the client that sends the large POST-data has no cookie with the secret value, then I re direct (since the target is an absolute url) him to some error-notification-script. This redirection does not forward POST-data, so no POST-data is stored on my server in this case. If the client has the correct secret cookie set, then the maximum allowed POST-data size is set to unlimited for the user-directory, thus for upload.php .

Final comments:

• you can also use post_max_size 4G in order to not allow 'really' arbitrary large data
• you can also overwrite other php-values here, all those that are labeled as PHP_INI_PERDIR in this list
• in order to be able to allow to override post_max_size in .htaccess , apache must not run php in CGI mode, but as an apache module. You can check for this by phpinfo() in the field "Server API". See here and here
• the mod_rewrite apache module must be enabled, for example by sudo a2enmod rewrite plus restarting apache service apache2 restart
• probably your virtual host configuration must be be modified such that .htaccess is allowed to enable rewriting, for example by AllowOverride All
• without HTTPS, the cookie is transmitted unsecurely, so the method is then vulnerable to network sniffers, just like php-sessions via HTTP in general, too
• instead of creating a single directory for each session, containing its own .htaccess -file for a single secret key, one could alternatively use for all users the same upload-file (in its own single directory), and store/update all temporary secret keys in a data-base, and then use a modified RewriteCond that checks this data-base for the secret key that is passed in the cookie