Forum OpenACS Q&A: AOLserver File Upload fills /tmp

Collapse
Posted by Malte Sussdorff on
Hello,

AOLserver stores files that get uploaded to /tmp. Now I have two
questions:

Is there a way to set a maximum size AOLserver accepts for upload (so
people dont have a way to start a DOS attack {at least for file-
uploading} by uploading Gigs of Data in one file).

Furthermore, AOLserver has a habit of beeing dirty. If the connection
breaks, it leaves the unfinished upload file in in the /tmp directory.

For the latter problem I thought about killing all files AOLserver
stored there that are older than 60 Minutes. This would effectivly
solve the problem #1 as well, as our pipe is not large enough to fill
up Gigs of space within 1 hour. But is there a better, nicer, cleaner
solution ?

And is there a command that would kill the connection if it has been
running for more than 60 Minutes (so AOLserver doesnt get confused if
I delete the file under its feet)?

Any help appreciated
Malte

Collapse
Posted by Kenny Chan on
Hi Malte,

I asked a similar question a while back. Hope it could be of help.

Sincerely

Collapse
Posted by Ash Argent-Katwala on
You could put a quota on the user that nsd is running as, at least on the temporary directory. That will then help you if you do anything to expand user-uploaded files. It is fairly easy to construct a Zip file that expands to something huge but lie in the manifest so anything like 'unzip -l' will lie. To defend against a malicious attack you ought not to believe the Content-Length header (as was suggested in the other thread). It won't hurt, I guess, but it won't stop someone who's rolling their own headers.
Collapse
Posted by Malte Sussdorff on
Thanks for your answers. Your ns_conn contentlength patch would actually allow us to limit file size on a per group / user basis, allowing a nice quota system. Though malacious hacking of the header would ruin this, but thats a second issue.

Thanks again