As designed Attachment system allows uploading larger files than allowed

[MilkyMeda]

Affected version

2.1.8 Patch 2

1. Site only allows attachments up to 4 MB.
2. User tries to upload a 8MB file.
3. User should get an immediate error about file size being too large.
4. They actually do but only after the upload, at the back-end!

If you try to upload, let's say a 1 GB file, front-end validation kicks in and the user gets the error immediately but that's not happening in much smaller attachments. I only tested this in images so I don't really know about other types.

 

[Chris D]

This is working as designed.

Images can be automatically resized after they are uploaded and this significantly changes the file size. Given an 8MB image which would have fairly large dimensions, if it was resized all the way down to something small like 1024px x 1024px then clearly it wouldn't be 8MB anymore. At that point we check the final size and if it is below the limit, we accept it, otherwise it would be rejected.

The front end validation you're seeing where it kicks it out much quicker is because the file is likely physically too large to be transmitted to the server. We check things like post_max_size and upload_max_file_size. These are hard server limits. Files exceeding these limits would be rejected by PHP or your web server so we wouldn't even be able to attempt to resize the,.

Hope that makes sense.