Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing upload of large files in ASP.NET 4.0

We'd like to restrict the maximum upload file size in our web site. We've already set the appropriate limits in our web.config. The problem we're encountering is if a really large file (1 GB, for example) is uploaded, the entire file is uploaded before a server-side error is generated, and the type of the error is different whether the file is huge or not.

Is there a way to detect the size of a pending file upload before the actual upload takes place?

Here's my relevant web.config settings that restrict requests to 16 MB:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <httpRuntime maxRequestLength="12288"/>
    </system.web>

    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="12582912"/>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

I've tried creating an HTTP module so I could intercept a request early in the request lifecycle, but the uploads seem to take place even before the BeginRequest event of HttpApplication:

public class UploadModule : IHttpModule
{
    private const int MaxUploadSize = 12582912;

    public void Init(HttpApplication context)
    {
        context.BeginRequest += handleBeginRequest;
    }

    public void Dispose()
    {
    }

    private void handleBeginRequest(object sender, EventArgs e)
    {
        // The upload takes place before this method gets called.

        var app = sender as HttpApplication;

        if (app.Request.Files.OfType<HttpPostedFile>()
            .Any(f => f.ContentLength > MaxUploadSize))
        {
            app.Response.StatusCode = 413;
            app.Response.StatusDescription = "Request Entity Too Large";
            app.Response.End();
            app.CompleteRequest();
        }
    }
}

Update:

I know that client-side technologies like Flash can detect file sizes before upload, but we need a server-side workaround because we're wanting to target platforms that have no Flash/Java/ActiveX/Silverlight support. I believe that IIS or ASP.NET has a bug that's allowing large files to be uploaded despite the limits, so I've filed a bug here.

Would an ISAPI extension give me more control over request processing than HTTP modules and handlers, such as allowing me to abort an upload if the Content-Length header is seen to be larger than the allowed limit?

Update 2:

Sigh. Microsoft has closed the bug I filed as a duplicate but has provided no additional information. Hopefully they didn't just drop the ball on this.

Update 3:

Hooray! According to Microsoft:

This bug is being resolved as it has been ported over to the IIS product team. The IIS team has since fixed the bug, which will be included in future release of Windows.

like image 398
Jacob Avatar asked Oct 25 '10 19:10

Jacob


2 Answers

The problem is that the upload happens all at once using the HTTP Post request so you can only detect it after it's done.

If you want more control over this you should try Flash based upload widgets which have this and more. Check out this link http://www.ajaxline.com/10-most-interesting-upload-widgets

like image 188
Cyril Gupta Avatar answered Sep 17 '22 12:09

Cyril Gupta


Microsoft has responded on their Microsoft Connect site with the following:

This bug is being resolved as it has been ported over to the IIS product team. The IIS team has since fixed the bug, which will be included in future release of Windows.

If you are requesting a fix for the current OS, a QFE request must be opened. Please let me know if this is the route that you want to take. Please note that opening a QFE request does not necessarily mean that it would be approved.

So I guess we have to wait for the next version of IIS for the fix (unless a QFE request is fulfilled, whatever that is).

like image 41
Jacob Avatar answered Sep 21 '22 12:09

Jacob