Programmable limits on upload size

Discussion in 'ASP .Net' started by Mike Kraley, Apr 29, 2008.

  1. Mike Kraley

    Mike Kraley Guest

    In my ASP.NET application, I'd like to set limits on the maximum size of an
    uploaded file. Normally I'd just

    set the maxRequestLength of the httpRuntime element in web.config. But in
    this case, I have a few different

    aspx pages and I want the limit set differently for each. Yes, I could put
    each in its own folder, each with

    its own web.config, but that is rather awkward for this application.

    Alternatively, I could leave the limit set in web.config to the largest
    limit, and then in the other pages,

    do my own checking, throwing an error if the ContentLength was too large.

    But if the goal here is preventing a DOS attack on my server by someone who
    is uploading lots of giant files,

    maybe this is too late. That is, by the time my code gets to run, maybe the
    content is already all uploaded

    and has consumed the server resources. I'd rather be able to stop things
    earlier in the process.

    Looking at some Reflector code, it appears that the method
    Request.GetEntireRawContent is actually doing the

    reading of the input stream, and this is called very early in page handling,
    by the first reference to the

    Form contents. But I'm not sure I'm reading this correctly. If I look at
    Request.InputStream at PageLoad

    time, it says that it is still at position 0. Does that mean that the
    content really hasn't been streamed in


    Also I wonder what I can trust. The simple thing is just to check
    Request.ContentLength, but I assume that a

    bad guy can just fake that to be a small number. Is the InputStream length a
    real number that can be trusted?

    Any suggestions would be appreciated.
    Mike Kraley, Apr 29, 2008
    1. Advertisements

  2. Mike Kraley

    nick chan Guest

    i can't help u with streams, but please use capctha to avoid robot
    nick chan, Apr 29, 2008
    1. Advertisements

  3. Hi Mike,

    As for ASP.NET file uploading, so far when we get the chance to inspect the
    Request's properties(such as content length or othe headers), the post
    data(form entries or binary content if use mult-part form) should have been
    transmit to server-side. And the ASP.NET maxRequestLength and it's too late
    to prevent uploading large size data. The ASP.NET maxRequestLength should
    be checking the upload stream size a bit ealier, but still can only detect
    the problem after the certain size of data(of the maxRequestLength) has
    been uploaded to server. So far I'm afraid there hasn't any good approach
    for web page based upload program since we haven't much control at the
    client-side(such as checking the file size before posting/uploading). If
    some rich client based component is allowed for your scenario, you may
    consider using some ActiveX or IE hosted .NET control to perform file
    upload since that can check file size in advance.

    BTW, for setting <httpRuntime ....> for different pages, you can also use
    the <location> element in web.config instead of putting different pages
    into different sub folders:

    #location Element (ASP.NET Settings Schema)


    Steven Cheng

    Microsoft MSDN Online Support Lead

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:

    Get notification to my posts through email? Please refer to

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Steven Cheng [MSFT], Apr 29, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.