Video upload does not respect maximum file size

[Kirby]

Affected version

2.2.5

Prerequisites
Effective permission XFMG: Upload quotas - Maximum file size (MB) = 10 MB for the test user
post_max_size > 20 MB
upload_max_filesize > 20 MB
Option Allow video/audio uploads with maximum file size not enabled
Option Enable FFmpeg features not enabled
A category that only accepts video uploads

Steps to reproduce
Try to upload a .mp4 video file with 15 MB

Expected Result
The file is rejected as too large - either before upload starts (preferred) or after upload has been finished

Actual Result
The video is accepted

This seems to happen because of \XF\Http\Upload::isValidMaxFileSize()

public function isValidMaxFileSize(&$errors = [], bool $isVideo = false)
{
    if ($isVideo)
    {
        if ($this->maxVideoSize && $this->fileSize > $this->maxVideoSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }
    else
    {
        if ($this->maxFileSize && $this->fileSize > $this->maxFileSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }

    return true;
}

If $this->maxVideoSize is not set (which is the case for XFMG uploads) it is null and thus the method returns true, effectively allowing upload of videos
with an "unlimited" size (up to upload_max_filesize <= post_max_size).

This also affects core XenForo if option Allow video/audio uploads with maximum file size not enabled and a valid video extension (like mp4) is added to option Allowed attachment file extensions.

 

[KenB]

Any traction on this one please? Other than php-ini I can't see a way to make the software respect the upload limits set in the admin panel

 

[MrWorldWide]

Also waiting for a reply.

 

[D.O.A.]

Prerequisites
Effective permission XFMG: Upload quotas - Maximum file size (MB) = 10 MB for the test user
post_max_size > 20 MB
upload_max_filesize > 20 MB
Option Allow video/audio uploads with maximum file size not enabled
Option Enable FFmpeg features not enabled
A category that only accepts video uploads

Steps to reproduce
Try to upload a .mp4 video file with 15 MB

Expected Result
The file is rejected as too large - either before upload starts (preferred) or after upload has been finished

Actual Result
The video is accepted

This seems to happen because of \XF\Http\Upload::isValidMaxFileSize()

public function isValidMaxFileSize(&$errors = [], bool $isVideo = false)
{
    if ($isVideo)
    {
        if ($this->maxVideoSize && $this->fileSize > $this->maxVideoSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }
    else
    {
        if ($this->maxFileSize && $this->fileSize > $this->maxFileSize)
        {
            $errors['fileSize'] = \XF::phrase('uploaded_file_is_too_large');
            return false;
        }
    }

    return true;
}

If $this->maxVideoSize is not set (which is the case for XFMG uploads) it is null and thus the method returns true, effectively allowing upload of videos
with an "unlimited" size (up to upload_max_filesize <= post_max_size).

This also affects core XenForo if option Allow video/audio uploads with maximum file size not enabled and a valid video extension (like mp4) is added to option Allowed attachment file extensions.

We're a video upload forum first and foremost, can't say I've come across this issue but then again we disabled "video uploads" or whatever that is in usergroup options and only allow .MP4 files to be uploaded via the global attachments options. This way we control the video format type for maximum compatibility and easy viewing with our 360,000 members. We got tired of people complaining about uploaded video formats that aren't fully supported by their particular OS/browser types. Maybe that's a workaround for you, as I haven't had anyone complain about limits yet.

 

[M@rc]

This is still happening in XF 2.3.8

 

[420]

We waited decades to finally enable this feature and just invested $10,000 in new servers specifically to support video uploads. Now that the feature is live and has been announced to the community, we are seeing multiple users uploading extremely large video files because XenForo is not enforcing the file size limits we configured.

This poses a serious and immediate risk to server stability. What can be done to stop this right now, and can we bring in someone immediately, paid if necessary, to diagnose and fix it?

 

[philmckrackon]

Do you have your PHP limits set as well?

 

[briansol]

Chris said an update to XFMG to match 2.3.8 was coming shortly after 2.3.8 core. hang tight, it might fix itself soon.

 

[smallwheels]

Chris said an update to XFMG to match 2.3.8 was coming shortly after 2.3.8 core. hang tight, it might fix itself soon.

MG 2.3.8 was released along with XF2.3.8 on Jan 22th 2026, so basically a week before your posting:

Post in thread 'XenForo 2.3.8 & Add-ons Released'

Jan 22, 2026

XenForo Media Gallery 2.3.8 Released​

XenForo Media Gallery 2.3.8 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo Media Gallery 2.3 upgrade to this release to benefit from increased stability.

One-click upgrade to XenForo Media Gallery 2.3.8​

Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XFMG 2.3.8 include:

• Prevent a race condition related to soft-deleting...

• XenForo

• 
• 

As the bug is not marked as fixed it is still there, as @M@rc has experienced and said himself:

This is still happening in XF 2.3.8