Forum OpenACS Q&A: Response to Limiting Filesize via html form file upload

Collapse
Posted by Jerry Asher on
I don't think you need to worry about your second DoS suggestion.  AOLserver has pretty reasonable limits (configurable of course) for the maxline (8K bytes), maxheader (16Kbytes), and maxpost (64Kbytes for all except POSTed multipart/formdata (file uploads that is)).

Examining the code, while it doesn't appear that AOLserver will drop the connection, after the first maxheader bytes, it won't read any more from the connection unless it's a POST.  If it's a POST, it is required to have a contentlength (for HTTP/1.0 servers).  If it's not multipart/form-data, the post must be under maxpost bytes.  If it is a file upload, then your check will nuke it if it's over 2M.  I think.