[mod_python] in modpython ,how to restrict the upload file size?

Clodoaldo clodoaldo.pinto.neto at gmail.com
Thu Feb 1 14:40:29 EST 2007 

2007/2/1, Martijn Moeling <martijn at xs4us.nu>:
>
> Please do a reply to all, so the others on the list can follow the
> topic..

I replied to you only because your reply was to me only so I though
you didn't want to discuss your application details in the list.

> Eh you are right, the name is PIL not PIP
>
> I have been messing with file (picture) uploads for a long time, first I
> messed with xmlhttprequest, but browser security issues killed that
> solution. Now I do a normal form within an Iframe submission.

An iframe is also what I use.

> Access to the upload is only possible when a Session exists in my case,
> allowing authenticated users to really upload a file. So DOS attacks are
> restricted to a limited group of users (Politicians, so they think a DOS
> attack is something which has to do with MS-DOS)

Yes, I also only allow uploads to registered users, but that will
hardly prevent an attack since very few users uploading huge files are
enough to crash your server. If you use a captcha, which I don't, a
human (say a competitor) can still register some users and do it.

> Nevertheless, it is something to address.
>
> I like to integrate an upload progress bar too.
>
> I think we need to write an imput filter which looks for 'POST' requests
> and checks the Content-length from headers_in, at the other hand I found
> this:
>
> 8<-----------------------------
> I can understand you wanting to reject a request based on input
> content length being larger than a certain amount, but not what
> would be gained from modifying the content length.
>
> As long as you aren't using mod_python.publisher,

This excludes me. I'm using the publisher. Aren't you?

> you could insert
> into your handler before you use the FieldStorage class a check of
> the req.headers_in["content-length"] field to see if the combined total
> of all form parameters in the POST containing the upload was
> greater than some amount and reject it on that basis. Not sure if
> the req.clength is the same thing as the "content-length" header or
> not.
>
> Without duplicating what FieldStorage does, can't see how you would
> be able to reject it based on just the file upload part of a multipart
> POST request being larger than a certain size.
>
> Graham
> 8<-----------------------------
>
>     Mb=1025*1024
>     if req.headers_in.has_key('content-length'):
>         if int(req.headers_in["content-length"])>Mb and
> req.method=='POST':
>             req.write('Error Filesize exeeded 1MB')
>             req.log_error('filesize to big:
> '+str(req.headers_in['content-length']))
>                 form=util.FieldStorage(req,keep_blank_values=True)
>             return apache.OK
>
> This works, but the apache.OK terminates the upload with an error
> message, Calling the form=Fieldstorage, make the upload finish and
> properly send the error message to the browser.
>
> I have just tested this and it works
>
> Martijn
>
>
> -----Oorspronkelijk bericht-----
> Van: clodoaldo.pinto at gmail.com [mailto:clodoaldo.pinto at gmail.com] Namens
> Clodoaldo
> Verzonden: Wednesday, January 31, 2007 19:44
> Aan: Martijn Moeling
> Onderwerp: Re: [mod_python] in modpython ,how to restrict the upload
> file size?
>
> 2007/1/31, Martijn Moeling <martijn at xs4us.nu>:
> > The PythonFixupHandler might be interesting to look at
> > Or the filters, there should be something possible there too.
> > Write a handler for a filter and enable it like you do with DEFLATE,
> > maybe an input filter, look at the content size, and return with what
> > you want, by setting headers and use req.write to return the page like
> > you are not publisher.
>
> I will have to do something like that if turns out to not exist a
> simpler solution. :(
>
> > Interestingly you do not tell how you handle the upload, that would be
> > Important to give you a more precise figure.
>
> The upload script is 120 lines long so I would have to produce a
> simpler one without the details not related to this issue just to not
> submit the list readers to the tedious work of trying to understand
> it.
>
> > I am working on the same Issue right now, and I have found a different
> > (and more user friendly approach for uploding pictures.
> >
> > I take many kinds of pictures, (bmp,gif,jpeg,png and more)
> > I accept any size
> > Next I convert the picture to a JPEG image of a given size (width or
> > height and maintain the aspect ratio)
> > And store it in a MySQL database.
> >
> > In that way I have the pictures taken with multi zillion pixel stored
> > with an acceptable and predictable size (for easy of building
> pages....)
> > and the are mostly less than 100k
>
> I'm doing the same thing except I use PIL and postgres. But if I let
> the user free to upload files of any size and only then resize the
> picture I'm left with the door open to DoS and disk full crashes as
> the site will be on the Internet. Don't you have any protection
> against such problems? Are you developing to an Intranet? I have done
> it with ASP to an intranet where I took no precautions.
>
> Otherwise the upload is working great including some AJAX like effects.
>
> > If you are interested I work out the steps to take (really easy with
> PIP
> > Image object though), give me a signal and I make up something you can
> > use as an example
>
> Regards,
> --
> Clodoaldo Pinto Neto
>

Regards,
-- 
Clodoaldo Pinto Neto

More information about the Mod_python mailing list