Video upload does not respect maximum file size

[Kirby]

Affected version

2.2.5

Prerequisites
Effective permission XFMG: Upload quotas - Maximum file size (MB) = 10 MB for the test user
post_max_size > 20 MB
upload_max_filesize > 20 MB
Option Allow video/audio uploads with maximum file size not enabled
Option Enable FFmpeg features not enabled
A category that only accepts video uploads

Steps to reproduce
Try to upload a .mp4 video file with 15 MB

Expected Result
The file is rejected as too large - either before upload starts (preferred) or after upload has been finished

Actual Result
The video is accepted

This seems to happen because of \XF\Http\Upload::isValidMaxFileSize()

public function isValidMaxFileSize(&$errors = [], bool $isVideo = false)
{
    if ($isVideo)
    {
        if ($this->maxVideoSize && $this->fileSize > $this->maxVideoSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }
    else
    {
        if ($this->maxFileSize && $this->fileSize > $this->maxFileSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }

    return true;
}

If $this->maxVideoSize is not set (which is the case for XFMG uploads) it is null and thus the method returns true, effectively allowing upload of videos
with an "unlimited" size (up to upload_max_filesize <= post_max_size).

This also affects core XenForo if option Allow video/audio uploads with maximum file size not enabled and a valid video extension (like mp4) is added to option Allowed attachment file extensions.

 

[KenB]

Any traction on this one please? Other than php-ini I can't see a way to make the software respect the upload limits set in the admin panel