As stated in the corresponding PHP manual entry, PHP will clear out $_POST and $_FILES if an upload exceeds the post_max_size limit.
I have a form like the following, and I'm using the Security component:
echo $this->Form->create(false, array('type' => 'file', 'action' => '...'));
echo $this->Form->file('documentFile');
echo $this->Form->end('Upload');
Now when I upload a large file exceeding said limit, I get "The request has been black-holed" due to CSRF validation failing - which is not surprising, since PHP clearing out $_POST also removes the CSRF protection token.
I can use Security->unlockedActions to work around this, but it doesn't seem ideal (and I'll lose CSRF protection). Is there any way to prevent the black-holing in this case?
Edit: I don't consider increasing post_max_size a solution - it just increases the file size required to trigger the black-holing, but doesn't solve the core problem.
Ok, just found the solution myself.
I added the following to my AppController::beforeFilter():
if (
($this->request->isPost() || $this->request->isPut()) &&
empty($_POST) && empty($_FILES)
) {
$this->Security->csrfCheck = false;
}
Maybe this is of use to someone else.