Forum OpenACS Q&A: Limiting Filesize via html form file upload

Collapse
1: Limiting Filesize via html form file upload
Posted by Kenny Chan on 09/07/01 02:21 AM
Hi there,

I am building my site which permits users to upload smaller files and have a question about file upload via html form.

Is there a way to limit a file size before the client actually finished the upload? I would like to be able to handle the case when users accidentally (or intensionally) choosing a file which is too big to upload.

Let's say If I want to limit the size to 2M, I believe I don't have to wait until the 20M+ client upload (prohibited) finished in order to check the file size, right?

Thank you in advance.

Sincerely,

Collapse
2: Response to Limiting Filesize via html form file upload (response to 1)
Posted by Jerry Asher on 09/07/01 03:54 AM
It looks as though you can modify tcl/form.tcl/ns_getform to achieve what you are looking for.  Look for where they call ns_conncptofp, and just before that see if you can check the conn's contentlength [ns_conn contentlength].
Collapse
3: Response to Limiting Filesize via html form file upload (response to 1)
Posted by David Kuczek on 09/07/01 06:26 PM
I would also be interested in such a solution.

But what exactly do you mean with ns_conncptofp? There is no such call in OpenACS...

Collapse
4: Response to Limiting Filesize via html form file upload (response to 1)
Posted by Jerry Asher on 09/07/01 08:29 PM
It's the procedure within AOLserver that AOLserver uses, when uploading a file, to copy the data from the connection into a file.

I don't know what a browser will do when you abort that upload, but I am pretty sure that's where you want to start.

Collapse
5: Response to Limiting Filesize via html form file upload (response to 1)
Posted by Kenny Chan on 09/07/01 11:35 PM
Hey,

Thank you for your hints, Jerry.

Now I gotta answer my own question. It's a less-than-decent solution.

The saver is [ns_conn contentlength] which checks the http header of the http request. Code fraqments for the form action: 

     

################### begin of code     

# check security here if needed     

set content_length [ns_conn contentlength]     

if {$content_length > 1457664} {     

   # upload is more than 1M, reject     

   ns_returnredirect "error_page"   

   return   

}      

# now that we checked the request is permitted,      

# actually parse the data     

set_the_usual_form_variables     

# do some insert / logic / file handling, blah...     

###############end of code
The key is to do the ns_conn before [set_the_usual_form_variables] because [set_the_usual...] calls ns_getform to actually parse the data. I call this a less-than-decent solution because this check the content-length of the whole client request but not the upload file alone. The size of the whole client request consists of other form data and some other stuffs.

For me I am just giving a few hundred kilobytes on top of the upload file size limit to handle the extras.

For a decent solution (check the file size alone) one would want to edit form.tcl/ns_getform in the Aolserver modules.

Thanks again.

Sincerely,

Collapse
6: Response to Limiting Filesize via html form file upload (response to 1)
Posted by Kenny Chan on 09/07/01 11:39 PM
Just another thought... a even more decent solution would actually be checking the http header size and parsing only that size and then drop the connection.

This would be DoS proof, agree?

But it would need heavy hacking into the code of ns_getform, I assume, any comments?

Thanks,

Collapse
7: Response to Limiting Filesize via html form file upload (response to 1)
Posted by Jerry Asher on 09/08/01 01:28 AM
I don't think you need to worry about your second DoS suggestion.  AOLserver has pretty reasonable limits (configurable of course) for the maxline (8K bytes), maxheader (16Kbytes), and maxpost (64Kbytes for all except POSTed multipart/formdata (file uploads that is)).

Examining the code, while it doesn't appear that AOLserver will drop the connection, after the first maxheader bytes, it won't read any more from the connection unless it's a POST.  If it's a POST, it is required to have a contentlength (for HTTP/1.0 servers).  If it's not multipart/form-data, the post must be under maxpost bytes.  If it is a file upload, then your check will nuke it if it's over 2M.  I think.

Collapse
8: Response to Limiting Filesize via html form file upload (response to 1)
Posted by MK Tam on 05/14/02 05:47 AM
How to increase the max file size to be uploaded? I found that the connection will be dropped over 1M in 3.3 + ad13.

Thanks.

Collapse
9: Response to Limiting Filesize via html form file upload (response to 1)
Posted by MK Tam on 05/16/02 03:59 AM
More information on my queston:

I tried using Netscape test my HTML form that uploads a file using the file storage package. But after a while an error message "connection reset by peer" pops up and connection dropped.

Because I use nsunix/ nsvhr, I try again by giving the port no (8000) and this time it works! Any suggestion to this strange behaviour?

Thanks.

Collapse
10: Response to Limiting Filesize via html form file upload (response to 1)
Posted by Kenny Chan on 05/16/02 05:47 AM
Hi MK,

I would sugguest you ask Jerry directly, cuz he is the one who's offering the nsunix / nsvhr virtual hosting package.

Please post results back here in this thread if you got any solution so that others could benefit from it.

Thanks,

Collapse
11: Re: Limiting Filesize via html form file upload (response to 1)
Posted by aju mathew on 06/14/07 06:08 AM
How I limit the file size via html form file upload.Give some examples also.