Can $_FILES[…]['size'] be forged?

Question

There\'s a well-known caveat about not trusting the MIME type sent via file upload in PHP ($_FILES[...][\'type\']) as this is sent by the HTTP client and could

Answer 1

Nope. I don't believe the $_FILES[]['size'] array can display false information. Maybe those who are concerned by it, may be referring to compression-related scenarios. Wherein the actual file may be compressed, to the point it does not reflect the file's real value.

As far as the size is concerned, the only part not to be trusted is the MAX_FILE_SIZE attribute

<input type="hidden" name="MAX_FILE_SIZE" value="30000" />

Answer 2

As suggested by @Dagon in the comments, I checked the PHP source in rfc1867.c.

The lines involved in defining the [size] attribute are:

[1042] wlen = write(fd, buff, blen);
       ...
[1056] total_bytes += wlen;
       ....
[1242] ZVAL_LONG(&file_size, total_bytes);
       ...
[1270] snprintf(lbuf, llen, "%s[size]", param);
       ...
[1275] register_http_post_files_variable_ex(lbuf, &file_size, ...

Which I translate as:

• 1042 The temp file is written in wlen size chunks
• 1056 In each iteration, wlen is added to total_bytes
• 1242 total_bytes is assigned to the file_size zval
• 1270 The target variable name ...[size] is assigned to lbuf
• 1275 file_size is registered under the name contained in lbuf, ...[size]

So without doubt, the only variable ever assigned to $_FILES[...]['size'] is the actual number of bytes written to the temporary file whose path is assigned to $_FILES[...]['tmp_name'].

As far as I can see, there is no way to forge the size attribute.