Comment 1 for bug 412487

To properly guard against bad users uploading gigabytes of junk, there is a setting upload_max_filesize. Unfortunately this cannot be set by the website (ini_set), only in php.ini or httpd.conf or .htaccess. I added .htaccess with the setting, but of course this will only work in apache servers. Adding it to php.ini is not really feasible anyway, because that would become a site-wide setting. (Or not?)

Anyway, this will be less of an issue once proper authentication is in place. Then we can simply deny access to misbehaving users.