{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 迷人小祖宗 的问题《Can $_FILES[…]['size'] be forged?》','https://www.manongdao.com/q-1249631.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
There's a well-known caveat about not trusting the MIME type sent via file upload in PHP ($_FILES[...]['type']) as this is sent by the HTTP client and could therefore be forged.
There's a similar caveat for the file name ($_FILES[...]['name']), which is sent by the HTTP client and could contain potentially dangerous characters.
However, I can't see how the file size ($_FILES[...]['size']) could be forged, as it does not seem to be part of the request payload, at least I can't see it in the dev tools in Chrome, where the payload looks like:
------WebKitFormBoundarytYAQ3ap4cmAB46Ek
Content-Disposition: form-data; name="picture"; filename="picture.jpg"
Content-Type: image/jpeg
Original file name and MIME type are here as expected, but no sign of a size parameter.
Still, I've just stumbled upon Symfony's UploadedFile implementation, that considers the file size as client-originated and therefore not trustable:
Returns the file size. It is extracted from the request from which the file has been uploaded. Then is should not be considered as a safe value.
Can the file size be part of the request payload, and therefore be forged, or is it always inferred from the actual file pointed to by $_FILES[...]['tmp_name'], and therefore always trustable?
Nope. I don't believe the
$_FILES[]['size']array can display false information. Maybe those who are concerned by it, may be referring to compression-related scenarios. Wherein the actual file may be compressed, to the point it does not reflect the file's real value.As far as the size is concerned, the only part not to be trusted is the
MAX_FILE_SIZEattribute<input type="hidden" name="MAX_FILE_SIZE" value="30000" />As suggested by @Dagon in the comments, I checked the PHP source in rfc1867.c.
The lines involved in defining the
[size]attribute are:Which I translate as:
wlensize chunkswlenis added tototal_bytestotal_bytesis assigned to thefile_sizezval...[size]is assigned tolbuffile_sizeis registered under the name contained inlbuf,...[size]So without doubt, the only variable ever assigned to
$_FILES[...]['size']is the actual number of bytes written to the temporary file whose path is assigned to$_FILES[...]['tmp_name'].As far as I can see, there is no way to forge the
sizeattribute.