Bug #88235

Ext: form file upload Memory error when file size exceeds available memory

Added by Susanne Moog 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Form Framework
Target version:
-
Start date:
2019-04-27
Due date:
% Done:

100%

TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:
Remote Sprint

Description

Original Report: https://forge.typo3.org/issues/88055

How to reproduce:
- Upload file which is smaller than post_max_size/max_upload_size php settings but larger than available php memory.

Error shown:
Allowed memory size of 134217728 bytes exhausted (tried to allocate 215859576 bytes) in typo3/sysext/form/Classes/Slot/FilePersistenceSlot.php on line 143

Suspected cause
Use of file_get_contents which would store complete contents of file in memory.


Related issues

Related to TYPO3 Core - Bug #88055: Faulty error-handling when uploading large files Closed 2019-04-02

Associated revisions

Revision f9f6694a (diff)
Added by Susanne Moog 6 months ago

[BUGFIX] Add guard clause to preFileAdd form hook

With the security fix in #f3445f964 checks on EXT:form file handling
were added to ensure secure form definition files. These checks are
based on FAL hooks. One of these - preFileAdd - contains checks based
on the content of the file to add, to do that, the file content is
fetched via file_get_contents. Due to a missing guard this was executed
for all file add operations instead of only for form definitions
resulting in performance loss and high memory usage. The check has
now been implemented.

Resolves: #88235
Releases: master, 9.5
Change-Id: Ie685df3d67d6ee58b1cd08f18acab1208a487ce7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60596
Tested-by: TYPO3com <>
Tested-by: Dominik Merkel <>
Tested-by: Ralf Zimmermann <>
Reviewed-by: Oliver Hader <>
Reviewed-by: Dominik Merkel <>
Reviewed-by: Ralf Zimmermann <>

Revision 9f423b41 (diff)
Added by Susanne Moog 6 months ago

[BUGFIX] Add guard clause to preFileAdd form hook

With the security fix in #f3445f964 checks on EXT:form file handling
were added to ensure secure form definition files. These checks are
based on FAL hooks. One of these - preFileAdd - contains checks based
on the content of the file to add, to do that, the file content is
fetched via file_get_contents. Due to a missing guard this was executed
for all file add operations instead of only for form definitions
resulting in performance loss and high memory usage. The check has
now been implemented.

Resolves: #88235
Releases: master, 9.5
Change-Id: Ie685df3d67d6ee58b1cd08f18acab1208a487ce7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60603
Tested-by: TYPO3com <>
Tested-by: Ralf Zimmermann <>
Reviewed-by: Ralf Zimmermann <>

History

#1 Updated by Susanne Moog 6 months ago

  • Related to Bug #88055: Faulty error-handling when uploading large files added

#2 Updated by Gerrit Code Review 6 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/60596

#3 Updated by Gerrit Code Review 6 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/60603

#4 Updated by Anonymous 6 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#5 Updated by Benni Mack 6 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF