Programmable limits on upload size

M

Mike Kraley

In my ASP.NET application, I'd like to set limits on the maximum size of an
uploaded file. Normally I'd just

set the maxRequestLength of the httpRuntime element in web.config. But in
this case, I have a few different

aspx pages and I want the limit set differently for each. Yes, I could put
each in its own folder, each with

its own web.config, but that is rather awkward for this application.

Alternatively, I could leave the limit set in web.config to the largest
limit, and then in the other pages,

do my own checking, throwing an error if the ContentLength was too large.

But if the goal here is preventing a DOS attack on my server by someone who
is uploading lots of giant files,

maybe this is too late. That is, by the time my code gets to run, maybe the
content is already all uploaded

and has consumed the server resources. I'd rather be able to stop things
earlier in the process.

Looking at some Reflector code, it appears that the method
Request.GetEntireRawContent is actually doing the

reading of the input stream, and this is called very early in page handling,
by the first reference to the

Form contents. But I'm not sure I'm reading this correctly. If I look at
Request.InputStream at PageLoad

time, it says that it is still at position 0. Does that mean that the
content really hasn't been streamed in

yet?

Also I wonder what I can trust. The simple thing is just to check
Request.ContentLength, but I assume that a

bad guy can just fake that to be a small number. Is the InputStream length a
real number that can be trusted?

Any suggestions would be appreciated.
 
S

Steven Cheng [MSFT]

Hi Mike,

As for ASP.NET file uploading, so far when we get the chance to inspect the
Request's properties(such as content length or othe headers), the post
data(form entries or binary content if use mult-part form) should have been
transmit to server-side. And the ASP.NET maxRequestLength and it's too late
to prevent uploading large size data. The ASP.NET maxRequestLength should
be checking the upload stream size a bit ealier, but still can only detect
the problem after the certain size of data(of the maxRequestLength) has
been uploaded to server. So far I'm afraid there hasn't any good approach
for web page based upload program since we haven't much control at the
client-side(such as checking the file size before posting/uploading). If
some rich client based component is allowed for your scenario, you may
consider using some ActiveX or IE hosted .NET control to perform file
upload since that can check file size in advance.

BTW, for setting <httpRuntime ....> for different pages, you can also use
the <location> element in web.config instead of putting different pages
into different sub folders:

#location Element (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/b6x6shw7.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
From: =?Utf-8?B?TWlrZSBLcmFsZXk=?= <[email protected]>
Subject: Programmable limits on upload size
Date: Mon, 28 Apr 2008 18:27:20 -0700
In my ASP.NET application, I'd like to set limits on the maximum size of an
uploaded file. Normally I'd just

set the maxRequestLength of the httpRuntime element in web.config. But in
this case, I have a few different

aspx pages and I want the limit set differently for each. Yes, I could put
each in its own folder, each with

its own web.config, but that is rather awkward for this application.

Alternatively, I could leave the limit set in web.config to the largest
limit, and then in the other pages,

do my own checking, throwing an error if the ContentLength was too large.

But if the goal here is preventing a DOS attack on my server by someone who
is uploading lots of giant files,

maybe this is too late. That is, by the time my code gets to run, maybe the
content is already all uploaded

and has consumed the server resources. I'd rather be able to stop things
earlier in the process.

Looking at some Reflector code, it appears that the method
Request.GetEntireRawContent is actually doing the

reading of the input stream, and this is called very early in page handling,
by the first reference to the

Form contents. But I'm not sure I'm reading this correctly. If I look at
Request.InputStream at PageLoad

time, it says that it is still at position 0. Does that mean that the
content really hasn't been streamed in

yet?

Also I wonder what I can trust. The simple thing is just to check
Request.ContentLength, but I assume that a

bad guy can just fake that to be a small number. Is the InputStream length
a
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top