[mod_python] Is it possible to stop file uploading?

Graham Dumpleton grahamd at dscpl.com.au
Wed Jan 24 16:53:13 EST 2007 

Mike Looijmans wrote ..
> > 1.When a user uploads file, using FORM ( POST method), is there a  possibility
> to stop 
> > uploading, if the file extension  is not among those  allowed? 
> 
> Yes. Write out an error and close the HTTP connection.

Actually, whether you can stop the client sending any of the actual data
contained in the body of the POST request depends on a few issues.

First off, if the client is using the HTTP 1.0 protocol the answer is that you
cannot. This is because with HTTP 1.0 protocol the client will immediately
start sending the body of the POST. Thus even if the server side returns an
error status based on looking at only the URL for the request, the client will
already have potentially sent all the actual data. The return of the error from
a handler on the server should result in the connection being dropped and so
the server will not read the data, but this will not have prevented some amount
of bandwidth being used up by the client to send the data anyway. How much data
the client will have sent will depend on how much will get buffered by the
connection before it would have detected the connection had closed.

If the client is using the HTTP/1.1 protocol it gets more interesting. This is
because HTTP/1.1 implements a mechanism whereby a client can request that the
server send a 100 continue status response before it will actually start
sending the body of the POST request. This is something that is dealt with at a
lower layer than mod_python so you don't have to worry about it yourself. How
it works with mod_python though, is that the very first time that the handler
calls req.read(), the lower level layers will take that as meaning you are
ready to start consuming the data and so Apache will send back a 100 continue
response to the client and it will only then start sending the data. If rather
than call req.read(), the handler returns an error response instead, then the
client will see the error response and will stop before it has even sent the
body of the POST request.

So, although with both HTTP 1.0 and 1.1, the way to end the request early is to
send the error response, only with HTTP 1.1 protocol may you be able to get the
client to stop before it has actually sent any data at all. This though can
only be achieved if you can determine whether the request should be aborted
from just the URL and the request headers. If the only way you can work out if
the request is to be aborted is from the actual body of the POST request, then
none of this applies and the client is always going to send some amount of
the data anyway.

> > 2.
> > Is there a good/recommended way how to find out the file extension?
> > I use a handler that can find the extension( using  util.FieldStorage(req))
> > but it does not stop uploading in progress but uploads the whole file
> first.
> 
> Create a FieldStorage instance, and pass it the callbacks for file 
> processing. You'll be called while the file stream is being read, and 
> you can check the extension at that time.

As pointed out above though, if the extension is being derived from the
filename attribute of the Content-Disposition header within a part of the
multipart/mixed body of the POST request, this means that req.read() would have
had to have been called and so none of the above applies and the client has had
to send some of the data anyway.

All you can achieve by using the file callbacks is to detect that the extension
is unacceptable before the client has sent too much data by sending back
the error response. You can't stop all of it being sent and how much will still
be sent will depend a bit of buffering within the network, by Apache and how
big a chunks of data FieldStorage consumes in one go.

Graham

More information about the Mod_python mailing list