Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Programmable limits on upload size

Reply
Thread Tools

Programmable limits on upload size

 
 
Mike Kraley
Guest
Posts: n/a
 
      04-29-2008
In my ASP.NET application, I'd like to set limits on the maximum size of an
uploaded file. Normally I'd just

set the maxRequestLength of the httpRuntime element in web.config. But in
this case, I have a few different

aspx pages and I want the limit set differently for each. Yes, I could put
each in its own folder, each with

its own web.config, but that is rather awkward for this application.

Alternatively, I could leave the limit set in web.config to the largest
limit, and then in the other pages,

do my own checking, throwing an error if the ContentLength was too large.

But if the goal here is preventing a DOS attack on my server by someone who
is uploading lots of giant files,

maybe this is too late. That is, by the time my code gets to run, maybe the
content is already all uploaded

and has consumed the server resources. I'd rather be able to stop things
earlier in the process.

Looking at some Reflector code, it appears that the method
Request.GetEntireRawContent is actually doing the

reading of the input stream, and this is called very early in page handling,
by the first reference to the

Form contents. But I'm not sure I'm reading this correctly. If I look at
Request.InputStream at PageLoad

time, it says that it is still at position 0. Does that mean that the
content really hasn't been streamed in

yet?

Also I wonder what I can trust. The simple thing is just to check
Request.ContentLength, but I assume that a

bad guy can just fake that to be a small number. Is the InputStream length a
real number that can be trusted?

Any suggestions would be appreciated.

--
....Mike
 
Reply With Quote
 
 
 
 
nick chan
Guest
Posts: n/a
 
      04-29-2008
i can't help u with streams, but please use capctha to avoid robot
uploading

On 29 Apr, 09:27, Mike Kraley <(E-Mail Removed)> wrote:
> In my ASP.NET application, I'd like to set limits on the maximum size of an
> uploaded file. Normally I'd just
>
> set the maxRequestLength of the httpRuntime element in web.config. But in
> this case, I have a few different
>
> aspx pages and I want the limit set differently for each. Yes, I could put
> each in its own folder, each with
>
> its own web.config, but that is rather awkward for this application.
>
> Alternatively, I could leave the limit set in web.config to the largest
> limit, and then in the other pages,
>
> do my own checking, throwing an error if the ContentLength was too large.
>
> But if the goal here is preventing a DOS attack on my server by someone who
> is uploading lots of giant files,
>
> maybe this is too late. That is, by the time my code gets to run, maybe the
> content is already all uploaded
>
> and has consumed the server resources. I'd rather be able to stop things
> earlier in the process.
>
> Looking at some Reflector code, it appears that the method
> Request.GetEntireRawContent is actually doing the
>
> reading of the input stream, and this is called very early in page handling,
> by the first reference to the
>
> Form contents. But I'm not sure I'm reading this correctly. If I look at
> Request.InputStream at PageLoad
>
> time, it says that it is still at position 0. Does that mean that the
> content really hasn't been streamed in
>
> yet?
>
> Also I wonder what I can trust. The simple thing is just to check
> Request.ContentLength, but I assume that a
>
> bad guy can just fake that to be a small number. Is the InputStream length a
> real number that can be trusted?
>
> Any suggestions would be appreciated.
>
> --
> ...Mike


 
Reply With Quote
 
 
 
 
Steven Cheng [MSFT]
Guest
Posts: n/a
 
      04-29-2008
Hi Mike,

As for ASP.NET file uploading, so far when we get the chance to inspect the
Request's properties(such as content length or othe headers), the post
data(form entries or binary content if use mult-part form) should have been
transmit to server-side. And the ASP.NET maxRequestLength and it's too late
to prevent uploading large size data. The ASP.NET maxRequestLength should
be checking the upload stream size a bit ealier, but still can only detect
the problem after the certain size of data(of the maxRequestLength) has
been uploaded to server. So far I'm afraid there hasn't any good approach
for web page based upload program since we haven't much control at the
client-side(such as checking the file size before posting/uploading). If
some rich client based component is allowed for your scenario, you may
consider using some ActiveX or IE hosted .NET control to perform file
upload since that can check file size in advance.

BTW, for setting <httpRuntime ....> for different pages, you can also use
the <location> element in web.config instead of putting different pages
into different sub folders:

#location Element (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/b6x6shw7.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
http://www.velocityreviews.com/forums/(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
>From: =?Utf-8?B?TWlrZSBLcmFsZXk=?= <(E-Mail Removed)>
>Subject: Programmable limits on upload size
>Date: Mon, 28 Apr 2008 18:27:20 -0700


>
>In my ASP.NET application, I'd like to set limits on the maximum size of

an
>uploaded file. Normally I'd just
>
>set the maxRequestLength of the httpRuntime element in web.config. But in
>this case, I have a few different
>
>aspx pages and I want the limit set differently for each. Yes, I could put
>each in its own folder, each with
>
>its own web.config, but that is rather awkward for this application.
>
>Alternatively, I could leave the limit set in web.config to the largest
>limit, and then in the other pages,
>
>do my own checking, throwing an error if the ContentLength was too large.
>
>But if the goal here is preventing a DOS attack on my server by someone

who
>is uploading lots of giant files,
>
>maybe this is too late. That is, by the time my code gets to run, maybe

the
>content is already all uploaded
>
>and has consumed the server resources. I'd rather be able to stop things
>earlier in the process.
>
>Looking at some Reflector code, it appears that the method
>Request.GetEntireRawContent is actually doing the
>
>reading of the input stream, and this is called very early in page

handling,
>by the first reference to the
>
>Form contents. But I'm not sure I'm reading this correctly. If I look at
>Request.InputStream at PageLoad
>
>time, it says that it is still at position 0. Does that mean that the
>content really hasn't been streamed in
>
>yet?
>
>Also I wonder what I can trust. The simple thing is just to check
>Request.ContentLength, but I assume that a
>
>bad guy can just fake that to be a small number. Is the InputStream length

a
>real number that can be trusted?
>
>Any suggestions would be appreciated.
>
>--
>...Mike
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Will CSS ever be programmable? Spartanicus HTML 1 07-14-2006 10:00 PM
can a hardware programmable card do this? Mark C++ 2 04-04-2005 05:30 PM
CFP: 7th Mil/Aerospace Applications of Programmable Logic Devices International Conference (MAPLD) Richard B. Katz VHDL 0 12-04-2003 06:08 AM
programmable FIR and simulation PawelT VHDL 4 12-01-2003 02:56 PM
Programmable Logic Circuits and C Pat Cavanagh C Programming 2 10-03-2003 01:09 AM



Advertisments