[mod_python] in modpython ,how to restrict the upload file size?

Graham Dumpleton grahamd at dscpl.com.au
Fri Feb 2 15:57:23 EST 2007

On 03/02/2007, at 1:29 AM, Clodoaldo wrote:

> 2007/2/1, Martijn Moeling <martijn at xs4us.nu>:
>> I think we need to write an imput filter which looks for 'POST'  
>> requests
>> and checks the Content-length from headers_in, at the other hand I  
>> found
>> this:
>> 8<-----------------------------
>> I can understand you wanting to reject a request based on input
>> content length being larger than a certain amount, but not what
>> would be gained from modifying the content length.
>> As long as you aren't using mod_python.publisher, you could insert
>> into your handler before you use the FieldStorage class a check of
>> the req.headers_in["content-length"] field to see if the combined  
>> total
>> of all form parameters in the POST containing the upload was
>> greater than some amount and reject it on that basis. Not sure if
>> the req.clength is the same thing as the "content-length" header or
>> not.
>> Without duplicating what FieldStorage does, can't see how you would
>> be able to reject it based on just the file upload part of a  
>> multipart
>> POST request being larger than a certain size.
>> Graham
>> 8<-----------------------------
>>     Mb=1025*1024
>>     if req.headers_in.has_key('content-length'):
>>         if int(req.headers_in["content-length"])>Mb and
>> req.method=='POST':
>>             req.write('Error Filesize exeeded 1MB')
>>             req.log_error('filesize to big:
>> '+str(req.headers_in['content-length']))
>>                 form=util.FieldStorage(req,keep_blank_values=True)
>>             return apache.OK
>> This works, but the apache.OK terminates the upload with an error
>> message, Calling the form=Fieldstorage, make the upload finish and
>> properly send the error message to the browser.
>> I have just tested this and it works
> I tried this in my publisher module upload_fotos.py uploading a  
> 100MB file:
>   if req.headers_in.has_key('content-length'):
>      if int(req.headers_in['content-length'])> 2097152:
>         s = """<html><body>Tamanho maior que 2 MegaBytes</body></ 
> html>"""
>         return s
> It works, but only after the whole file has been uploaded so it is not
> a solution.
> I also tried an input filter:
>    <Directory /var/www/html/carroarodo.com>
>       SetHandler mod_python
>       PythonHandler ~/_publisher.py
>       PythonOption mod_python.importer.path "['~/mod']"
>       PythonInputFilter upload_size UPLOADSIZE
>    </Directory>
> $ cat _publisher.py
> from mod_python import publisher
> def handler(req):
>   req.add_output_filter('DEFLATE')
>   req.add_input_filter('UPLOADSIZE')
>   return publisher.handler(req)
> $ cat upload_size.py
> from mod_python import apache
> def inputfilter(filter):
>   filter.req.size_excess = False
>   if filter.req.headers_in.has_key('content-length'):
>      if int(filter.req.headers_in['content-length'])> 5000: #2097152:
>         filter.req.size_excess = True
>   filter.req.log_error('size_excess: %s' % filter.req.size_excess)
>   filter.pass_on()
> And in my publisher module:
>   if req.method == 'POST':
>      if req.size_excess:
>         s = """<html><body>Tamanho maior que 2 MegaBytes</body></ 
> html>"""
>         return s
> Again it works but only after the whole file was uploaded. I guess it
> is just not possible to block a large file upload before it is
> uploaded when using the publisher. Given the very rare lack of
> response from the core devs I suppose this post is simple stupid
> because I'm using the publisher and I had better give up and try to
> not use it for this particular task.

I haven't said anything because I have been too busy and also because
this topic has been covered before on the mailing list and it is in the
archives. The only trick is working out the right search terms to  
find the
answer. To save you the trouble:


Also see:


Ie. you can always just use Apache LimitRequestBody directive. And:


Ie., used for fixuphandler approach, don't use HTTP_BAD_REQUEST, but
HTTP_REQUEST_ENTITY_TOO_LARGE. Also see comments about
length being required.

I don't know why the person was having problems, as it should be  
to do it in a fixuphandler as described.


More information about the Mod_python mailing list