What is exactly the function of the 'max_file_uploads' limitation?
You can think of this as defense in depth, an additional layer of protection against generic threats around file uploads.
One that directly comes to mind is an attacker uploading many very small (or 0 byte) files. Those would normally get stored in the temp directory (/tmp
usually), and on many filesystems there is limit to the number of files in a directory, and a lot of files can also affect filesystem performance.
This is a risk you can decide to accept, or implement other mitigations so this php setting doesn't "get in the way". Quite honestly, in many applications this would likely never cause an issue, but you need to be aware and make an informed decision. In some higher security applications increasing or removing this limitation might not be acceptable.