Video upload does not respect maximum file size

[Kirby]

Affected version

2.2.5

Prerequisites
Effective permission XFMG: Upload quotas - Maximum file size (MB) = 10 MB for the test user
post_max_size > 20 MB
upload_max_filesize > 20 MB
Option Allow video/audio uploads with maximum file size not enabled
Option Enable FFmpeg features not enabled
A category that only accepts video uploads

Steps to reproduce
Try to upload a .mp4 video file with 15 MB

Expected Result
The file is rejected as too large - either before upload starts (preferred) or after upload has been finished

Actual Result
The video is accepted

This seems to happen because of \XF\Http\Upload::isValidMaxFileSize()

public function isValidMaxFileSize(&$errors = [], bool $isVideo = false)
{
    if ($isVideo)
    {
        if ($this->maxVideoSize && $this->fileSize > $this->maxVideoSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }
    else
    {
        if ($this->maxFileSize && $this->fileSize > $this->maxFileSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }

    return true;
}

If $this->maxVideoSize is not set (which is the case for XFMG uploads) it is null and thus the method returns true, effectively allowing upload of videos
with an "unlimited" size (up to upload_max_filesize <= post_max_size).

This also affects core XenForo if option Allow video/audio uploads with maximum file size not enabled and a valid video extension (like mp4) is added to option Allowed attachment file extensions.

 

[KenB]

Any traction on this one please? Other than php-ini I can't see a way to make the software respect the upload limits set in the admin panel

 

[MrWorldWide]

Also waiting for a reply.

 

[D.O.A.]

Prerequisites
Effective permission XFMG: Upload quotas - Maximum file size (MB) = 10 MB for the test user
post_max_size > 20 MB
upload_max_filesize > 20 MB
Option Allow video/audio uploads with maximum file size not enabled
Option Enable FFmpeg features not enabled
A category that only accepts video uploads

Steps to reproduce
Try to upload a .mp4 video file with 15 MB

Expected Result
The file is rejected as too large - either before upload starts (preferred) or after upload has been finished

Actual Result
The video is accepted

This seems to happen because of \XF\Http\Upload::isValidMaxFileSize()

public function isValidMaxFileSize(&$errors = [], bool $isVideo = false)
{
    if ($isVideo)
    {
        if ($this->maxVideoSize && $this->fileSize > $this->maxVideoSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }
    else
    {
        if ($this->maxFileSize && $this->fileSize > $this->maxFileSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }

    return true;
}

If $this->maxVideoSize is not set (which is the case for XFMG uploads) it is null and thus the method returns true, effectively allowing upload of videos
with an "unlimited" size (up to upload_max_filesize <= post_max_size).

This also affects core XenForo if option Allow video/audio uploads with maximum file size not enabled and a valid video extension (like mp4) is added to option Allowed attachment file extensions.

We're a video upload forum first and foremost, can't say I've come across this issue but then again we disabled "video uploads" or whatever that is in usergroup options and only allow .MP4 files to be uploaded via the global attachments options. This way we control the video format type for maximum compatibility and easy viewing with our 360,000 members. We got tired of people complaining about uploaded video formats that aren't fully supported by their particular OS/browser types. Maybe that's a workaround for you, as I haven't had anyone complain about limits yet.