Ignore excessive number of empty file uploads

Author: clue

src/Io/MultipartParser.php

@@ -63,6 +63,7 @@ final class MultipartParser
 
     private $postCount = 0;
     private $filesCount = 0;
+    private $emptyCount = 0;
 
     /**
      * @param int|null $uploadMaxFilesize
@@ -97,6 +98,7 @@ public function parse(ServerRequestInterface $request)
         $this->request = null;
         $this->postCount = 0;
         $this->filesCount = 0;
+        $this->emptyCount = 0;
         $this->maxFileSize = null;
 
         return $request;
@@ -176,6 +178,11 @@ private function parseUploadedFile($filename, $contentType, $contents)
 
         // no file selected (zero size and empty filename)
         if ($size === 0 && $filename === '') {
+            // ignore excessive number of empty file uploads
+            if (++$this->emptyCount + $this->filesCount > $this->maxInputVars) {
+                return;
+            }
+
             return new UploadedFile(
                 Psr7\stream_for(''),
                 $size,

tests/Middleware/RequestBodyParserMiddlewareTest.php

@@ -316,4 +316,44 @@ function (ServerRequestInterface $request) {
         $this->assertTrue(isset($body['a']));
         $this->assertCount($allowed, $body['a']);
     }
+
+    public function testMultipartFormDataTruncatesExcessiveNumberOfEmptyFileUploads()
+    {
+        // ini setting exists in PHP 5.3.9, not in HHVM: https://3v4l.org/VF6oV
+        // otherwise default to 1000 as implemented within
+        $allowed = (int)ini_get('max_input_vars');
+        if ($allowed === 0) {
+            $allowed = 1000;
+        }
+
+        $middleware = new RequestBodyParserMiddleware();
+
+        $boundary = "---------------------------12758086162038677464950549563";
+
+        $data  = "";
+        for ($i = 0; $i < $allowed + 1; ++$i) {
+            $data .= "--$boundary\r\n";
+            $data .= "Content-Disposition: form-data; name=\"empty[]\"; filename=\"\"\r\n";
+            $data .= "\r\n";
+            $data .= "\r\n";
+        }
+        $data .= "--$boundary--\r\n";
+
+        $request = new ServerRequest('POST', 'http://example.com/', array(
+            'Content-Type' => 'multipart/form-data; boundary=' . $boundary,
+        ), $data, 1.1);
+
+        /** @var ServerRequestInterface $parsedRequest */
+        $parsedRequest = $middleware(
+            $request,
+            function (ServerRequestInterface $request) {
+                return $request;
+            }
+        );
+
+        $body = $parsedRequest->getUploadedFiles();
+        $this->assertCount(1, $body);
+        $this->assertTrue(isset($body['empty']));
+        $this->assertCount($allowed, $body['empty']);
+    }
 }