[mod_python] in modpython ,how to restrict the upload file size?

Martijn Moeling martijn at xs4us.nu
Thu Feb 1 13:35:30 EST 2007 

Please do a reply to all, so the others on the list can follow the
topic..

Eh you are right, the name is PIL not PIP

I have been messing with file (picture) uploads for a long time, first I
messed with xmlhttprequest, but browser security issues killed that
solution. Now I do a normal form within an Iframe submission.

Access to the upload is only possible when a Session exists in my case,
allowing authenticated users to really upload a file. So DOS attacks are
restricted to a limited group of users (Politicians, so they think a DOS
attack is something which has to do with MS-DOS)

Nevertheless, it is something to address.

I like to integrate an upload progress bar too.

I think we need to write an imput filter which looks for 'POST' requests
and checks the Content-length from headers_in, at the other hand I found
this:

8<-----------------------------
I can understand you wanting to reject a request based on input
content length being larger than a certain amount, but not what
would be gained from modifying the content length.

As long as you aren't using mod_python.publisher, you could insert
into your handler before you use the FieldStorage class a check of
the req.headers_in["content-length"] field to see if the combined total
of all form parameters in the POST containing the upload was
greater than some amount and reject it on that basis. Not sure if
the req.clength is the same thing as the "content-length" header or
not.

Without duplicating what FieldStorage does, can't see how you would
be able to reject it based on just the file upload part of a multipart
POST request being larger than a certain size.

Graham
8<-----------------------------

    Mb=1025*1024
    if req.headers_in.has_key('content-length'):
        if int(req.headers_in["content-length"])>Mb and
req.method=='POST':
            req.write('Error Filesize exeeded 1MB')
            req.log_error('filesize to big:
'+str(req.headers_in['content-length']))
		form=util.FieldStorage(req,keep_blank_values=True)
            return apache.OK

This works, but the apache.OK terminates the upload with an error
message, Calling the form=Fieldstorage, make the upload finish and
properly send the error message to the browser.

I have just tested this and it works

Martijn


-----Oorspronkelijk bericht-----
Van: clodoaldo.pinto at gmail.com [mailto:clodoaldo.pinto at gmail.com] Namens
Clodoaldo
Verzonden: Wednesday, January 31, 2007 19:44
Aan: Martijn Moeling
Onderwerp: Re: [mod_python] in modpython ,how to restrict the upload
file size?

2007/1/31, Martijn Moeling <martijn at xs4us.nu>:
> The PythonFixupHandler might be interesting to look at
> Or the filters, there should be something possible there too.
> Write a handler for a filter and enable it like you do with DEFLATE,
> maybe an input filter, look at the content size, and return with what
> you want, by setting headers and use req.write to return the page like
> you are not publisher.

I will have to do something like that if turns out to not exist a
simpler solution. :(

> Interestingly you do not tell how you handle the upload, that would be
> Important to give you a more precise figure.

The upload script is 120 lines long so I would have to produce a
simpler one without the details not related to this issue just to not
submit the list readers to the tedious work of trying to understand
it.

> I am working on the same Issue right now, and I have found a different
> (and more user friendly approach for uploding pictures.
>
> I take many kinds of pictures, (bmp,gif,jpeg,png and more)
> I accept any size
> Next I convert the picture to a JPEG image of a given size (width or
> height and maintain the aspect ratio)
> And store it in a MySQL database.
>
> In that way I have the pictures taken with multi zillion pixel stored
> with an acceptable and predictable size (for easy of building
pages....)
> and the are mostly less than 100k

I'm doing the same thing except I use PIL and postgres. But if I let
the user free to upload files of any size and only then resize the
picture I'm left with the door open to DoS and disk full crashes as
the site will be on the Internet. Don't you have any protection
against such problems? Are you developing to an Intranet? I have done
it with ASP to an intranet where I took no precautions.

Otherwise the upload is working great including some AJAX like effects.

> If you are interested I work out the steps to take (really easy with
PIP
> Image object though), give me a signal and I make up something you can
> use as an example

Regards,
-- 
Clodoaldo Pinto Neto

More information about the Mod_python mailing list