Programmable limits on upload size

Discussion in 'ASP .Net' started by Mike Kraley, Apr 29, 2008.

  1. Mike Kraley

    Mike Kraley Guest

    In my ASP.NET application, I'd like to set limits on the maximum size of an
    uploaded file. Normally I'd just

    set the maxRequestLength of the httpRuntime element in web.config. But in
    this case, I have a few different

    aspx pages and I want the limit set differently for each. Yes, I could put
    each in its own folder, each with

    its own web.config, but that is rather awkward for this application.

    Alternatively, I could leave the limit set in web.config to the largest
    limit, and then in the other pages,

    do my own checking, throwing an error if the ContentLength was too large.

    But if the goal here is preventing a DOS attack on my server by someone who
    is uploading lots of giant files,

    maybe this is too late. That is, by the time my code gets to run, maybe the
    content is already all uploaded

    and has consumed the server resources. I'd rather be able to stop things
    earlier in the process.

    Looking at some Reflector code, it appears that the method
    Request.GetEntireRawContent is actually doing the

    reading of the input stream, and this is called very early in page handling,
    by the first reference to the

    Form contents. But I'm not sure I'm reading this correctly. If I look at
    Request.InputStream at PageLoad

    time, it says that it is still at position 0. Does that mean that the
    content really hasn't been streamed in

    yet?

    Also I wonder what I can trust. The simple thing is just to check
    Request.ContentLength, but I assume that a

    bad guy can just fake that to be a small number. Is the InputStream length a
    real number that can be trusted?

    Any suggestions would be appreciated.

    --
    ....Mike
     
    Mike Kraley, Apr 29, 2008
    #1
    1. Advertising

  2. Mike Kraley

    nick chan Guest

    i can't help u with streams, but please use capctha to avoid robot
    uploading

    On 29 Apr, 09:27, Mike Kraley <> wrote:
    > In my ASP.NET application, I'd like to set limits on the maximum size of an
    > uploaded file. Normally I'd just
    >
    > set the maxRequestLength of the httpRuntime element in web.config. But in
    > this case, I have a few different
    >
    > aspx pages and I want the limit set differently for each. Yes, I could put
    > each in its own folder, each with
    >
    > its own web.config, but that is rather awkward for this application.
    >
    > Alternatively, I could leave the limit set in web.config to the largest
    > limit, and then in the other pages,
    >
    > do my own checking, throwing an error if the ContentLength was too large.
    >
    > But if the goal here is preventing a DOS attack on my server by someone who
    > is uploading lots of giant files,
    >
    > maybe this is too late. That is, by the time my code gets to run, maybe the
    > content is already all uploaded
    >
    > and has consumed the server resources. I'd rather be able to stop things
    > earlier in the process.
    >
    > Looking at some Reflector code, it appears that the method
    > Request.GetEntireRawContent is actually doing the
    >
    > reading of the input stream, and this is called very early in page handling,
    > by the first reference to the
    >
    > Form contents. But I'm not sure I'm reading this correctly. If I look at
    > Request.InputStream at PageLoad
    >
    > time, it says that it is still at position 0. Does that mean that the
    > content really hasn't been streamed in
    >
    > yet?
    >
    > Also I wonder what I can trust. The simple thing is just to check
    > Request.ContentLength, but I assume that a
    >
    > bad guy can just fake that to be a small number. Is the InputStream length a
    > real number that can be trusted?
    >
    > Any suggestions would be appreciated.
    >
    > --
    > ...Mike
     
    nick chan, Apr 29, 2008
    #2
    1. Advertising

  3. Hi Mike,

    As for ASP.NET file uploading, so far when we get the chance to inspect the
    Request's properties(such as content length or othe headers), the post
    data(form entries or binary content if use mult-part form) should have been
    transmit to server-side. And the ASP.NET maxRequestLength and it's too late
    to prevent uploading large size data. The ASP.NET maxRequestLength should
    be checking the upload stream size a bit ealier, but still can only detect
    the problem after the certain size of data(of the maxRequestLength) has
    been uploaded to server. So far I'm afraid there hasn't any good approach
    for web page based upload program since we haven't much control at the
    client-side(such as checking the file size before posting/uploading). If
    some rich client based component is allowed for your scenario, you may
    consider using some ActiveX or IE hosted .NET control to perform file
    upload since that can check file size in advance.

    BTW, for setting <httpRuntime ....> for different pages, you can also use
    the <location> element in web.config instead of putting different pages
    into different sub folders:

    #location Element (ASP.NET Settings Schema)
    http://msdn2.microsoft.com/en-us/library/b6x6shw7.aspx

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    >From: =?Utf-8?B?TWlrZSBLcmFsZXk=?= <>
    >Subject: Programmable limits on upload size
    >Date: Mon, 28 Apr 2008 18:27:20 -0700


    >
    >In my ASP.NET application, I'd like to set limits on the maximum size of

    an
    >uploaded file. Normally I'd just
    >
    >set the maxRequestLength of the httpRuntime element in web.config. But in
    >this case, I have a few different
    >
    >aspx pages and I want the limit set differently for each. Yes, I could put
    >each in its own folder, each with
    >
    >its own web.config, but that is rather awkward for this application.
    >
    >Alternatively, I could leave the limit set in web.config to the largest
    >limit, and then in the other pages,
    >
    >do my own checking, throwing an error if the ContentLength was too large.
    >
    >But if the goal here is preventing a DOS attack on my server by someone

    who
    >is uploading lots of giant files,
    >
    >maybe this is too late. That is, by the time my code gets to run, maybe

    the
    >content is already all uploaded
    >
    >and has consumed the server resources. I'd rather be able to stop things
    >earlier in the process.
    >
    >Looking at some Reflector code, it appears that the method
    >Request.GetEntireRawContent is actually doing the
    >
    >reading of the input stream, and this is called very early in page

    handling,
    >by the first reference to the
    >
    >Form contents. But I'm not sure I'm reading this correctly. If I look at
    >Request.InputStream at PageLoad
    >
    >time, it says that it is still at position 0. Does that mean that the
    >content really hasn't been streamed in
    >
    >yet?
    >
    >Also I wonder what I can trust. The simple thing is just to check
    >Request.ContentLength, but I assume that a
    >
    >bad guy can just fake that to be a small number. Is the InputStream length

    a
    >real number that can be trusted?
    >
    >Any suggestions would be appreciated.
    >
    >--
    >...Mike
    >
     
    Steven Cheng [MSFT], Apr 29, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PawelT
    Replies:
    4
    Views:
    670
    PawelT
    Dec 1, 2003
  2. Richard B. Katz
    Replies:
    0
    Views:
    697
    Richard B. Katz
    Dec 4, 2003
  3. Mark
    Replies:
    2
    Views:
    337
    Ares Lagae
    Apr 4, 2005
  4. Spartanicus

    Re: Will CSS ever be programmable?

    Spartanicus, Jul 14, 2006, in forum: HTML
    Replies:
    1
    Views:
    358
    Eric Bohlman
    Jul 14, 2006
  5. Pat Cavanagh

    Programmable Logic Circuits and C

    Pat Cavanagh, Oct 2, 2003, in forum: C Programming
    Replies:
    2
    Views:
    388
    Glen Herrmannsfeldt
    Oct 3, 2003
Loading...

Share This Page