Closed Bug 91664 Opened 23 years ago Closed 23 years ago

Bugzilla does not enforce a maximum patch/attachment size.

Categories

(Bugzilla :: Attachments & Requests, defect, P1)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
2.13
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: myk, Assigned: myk)

References

Details

Attachments

(1 file)

patch v1.0
5.78 KB, patch
Details | Diff | Splinter Review 
Bugzilla does not enforce a maximum patch/attachment size, even though it stores
attachments in a LONGBLOB column with a theoretical limit of (2^32 - 1)
characters, a practical limit of 16MB based on the maximum value of mysqld's
max_allowed_packet, and an actual limit equivalent to the value of that variable.

More significantly, the lack of any size enforcement leads to reckless and
wanton uses of space, for example the posting of unnecessary and/or
non-compressed attachments (like highest-quality JPEG screen-shots).
Bugzilla should enforce a maximum patch/attachment size.
Attached patch patch v1.0Splinter Review 

    
    

    
  
This patch fixes the bug by defining two parameters: maxpatchsize and
maxattachmentsize, that installations can configure to restrict the size of
patches and non-patch attachments, respectively.  The parameters are set to
1048576 bytes (1 megabyte) by default.

If set to zero, Bugzilla will not impose a size restriction on
patches/attachments (but one will be imposed by other server software, f.e.
mysql).  Otherwise Bugzilla will warn users on the "Create Attachment" page
about the size restrictions and will display an error if they try to upload
patches/attachments whose sizes exceed the limits.

The patch does some incidental clean-up of Perl and HTML code formatting.


Status: NEW → ASSIGNED
Keywords: patch, 
          
            review

    
    

    
  
I'll call this a P1 because apparently moz.org had some problems without this.

It's not a 2.14 blocker but Dave says if the patch is ready it will go in.
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16

    
    

    
  
From MattyT via email:

Desirable fixes in the area:

<ssdbot> MattyT: Bug http://bugzilla.mozilla.org/show_bug.cgi?id=87770
tri, --, All, tara@tequilarista.org, NEW, createattachment should work
with no parameters.
<ssdbot> MattyT: Bug http://bugzilla.mozilla.org/show_bug.cgi?id=87420
tri, --, All, tara@tequilarista.org, NEW, Pressing back on "create
attachment".

Apparent duplicate:

<ssdbot> MattyT: Bug http://bugzilla.mozilla.org/show_bug.cgi?id=59390
nor, P3, All, tara@tequilarista.org, NEW, Abort large (>1MB) attachments
before uploading and with a r

This bug has a comment suggesting size detection before upload is
possible.




    
    

    
  
*** Bug 96190 has been marked as a duplicate of this bug. ***

    
  
Component: Bugzilla → Creating/Changing Bugs
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → 2.10

    
    

    
  
correcting version field lost in product move
Version: 2.10 → 2.13

    
    

    
  
The only reason to have two params is if either:
a) you'd want the max patch size to be smaller than the max attachment size (Why
on earth?) or,
b) you'd want the max attachment size to be smaller than the max patch size.
Would you ever have an installation where the max. attachment size was so small
that patches exceeded it? I've never seen a patch bigger than 500k. And they can
always be split in two.

I'd say one param is fine.

I think this patch has rotted because of templatisation. Myk - any interest in
reviving it?

Gerv



    
    

    
  
>I've never seen a patch bigger than 500k.

I have.  Hyatt posted a 900k patch once, and others have also been posted.  The
reason for two settings is, as you mentioned, to allow for bigger patches.  The
fix for this went in as part of bug 98602, so resolving fixed.  File bug called
"remove maxpatchsize parameter" if you think this is wrong.


Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Depends on: 98602
Resolution: --- → FIXED

    
  
Component: Creating/Changing Bugs → attachment and request management

    
    

    
  
*** Bug 185828 has been marked as a duplicate of this bug. ***

    
    

    
  
I'm seeing this on a 2.17.6-based installation:

[Mon Dec 29 10:01:36 2003] [error] [client 192.168.10.200] malformed header from
script. Bad header=<F1><E2><EF><F1><E2><EF><F1><E2><EF><F1><E2><EF><F1><E2><EF><F1>
<E2><EF><F1><E2><EF><F1><E2><EF><F1><E2><EF><F1><E2><EF>:
/var/www/bugzilla-tip/attachment.cgi
[Mon Dec 29 10:01:36 2003] attachment.cgi: DBD::mysql::st execute failed: MySQL
server has gone away [for Statement "INSERT INTO attachments (bug_id,
creation_ts, filename, description, mimetype, ispatch, isprivate, submitter_id,
thedata) 
[Mon Dec 29 10:01:36 2003] attachment.cgi:            VALUES (585, now(), 'Gia
0730 DOS.doc', 'Orienta<E7><F5>es para altera<E7><E3>o do Lay Out Gia 0730',
'application/msword', 0, 0, 4,
'<D0><CF>^Q<E0><A1><B1>\Z<E1>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>

I had maxattachsize set to 50MB, but I hadn't changed the max_packet_size
variable in my.cnf. Is this something I "should have known"? Shouldn't this be
mentioned next to the maxattachsize description in the params page at least?
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: