[mod_python] Is it possible to stop file uploading?

Mike Looijmans nlv11281 at natlab.research.philips.com
Thu Jan 25 01:30:17 EST 2007

In addition to Graham's (as usual much more useful and less cryptic) 
response, I think you can detect the request for a '100-continue' 
because the browser sends out a "Expect: continue" or something like 
that (don't have the exact information here, but RFC2068 will help you 

The only way to stop the client from sending you data once the 
100-continue has been sent is to close the underlying socket connection. 
It is good practice to send a "Connection: Close" header along with your 
error response. The underlying socket is available as req.connection if 
i'm not mistaken. This is not very "nice" to the client, and should be 
used only if you expect really big downloads. You might want to check 
the Content-Length of the upload - if it is less than say 16k, it is 
probably more efficient to just "eat" the data even though you're not 
going to process it.

Mike Looijmans
Philips Natlab / Topic Automation

Graham Dumpleton wrote:
> Mike Looijmans wrote ..
>>>1.When a user uploads file, using FORM ( POST method), is there a  possibility
>>to stop 
>>>uploading, if the file extension  is not among those  allowed? 
>>Yes. Write out an error and close the HTTP connection.
> Actually, whether you can stop the client sending any of the actual data
> contained in the body of the POST request depends on a few issues.
> First off, if the client is using the HTTP 1.0 protocol the answer is that you
> cannot. This is because with HTTP 1.0 protocol the client will immediately
> start sending the body of the POST. Thus even if the server side returns an
> error status based on looking at only the URL for the request, the client will
> already have potentially sent all the actual data. The return of the error from
> a handler on the server should result in the connection being dropped and so
> the server will not read the data, but this will not have prevented some amount
> of bandwidth being used up by the client to send the data anyway. How much data
> the client will have sent will depend on how much will get buffered by the
> connection before it would have detected the connection had closed.
> If the client is using the HTTP/1.1 protocol it gets more interesting. This is
> because HTTP/1.1 implements a mechanism whereby a client can request that the
> server send a 100 continue status response before it will actually start
> sending the body of the POST request. This is something that is dealt with at a
> lower layer than mod_python so you don't have to worry about it yourself. How
> it works with mod_python though, is that the very first time that the handler
> calls req.read(), the lower level layers will take that as meaning you are
> ready to start consuming the data and so Apache will send back a 100 continue
> response to the client and it will only then start sending the data. If rather
> than call req.read(), the handler returns an error response instead, then the
> client will see the error response and will stop before it has even sent the
> body of the POST request.
> So, although with both HTTP 1.0 and 1.1, the way to end the request early is to
> send the error response, only with HTTP 1.1 protocol may you be able to get the
> client to stop before it has actually sent any data at all. This though can
> only be achieved if you can determine whether the request should be aborted
> from just the URL and the request headers. If the only way you can work out if
> the request is to be aborted is from the actual body of the POST request, then
> none of this applies and the client is always going to send some amount of
> the data anyway.
>>>Is there a good/recommended way how to find out the file extension?
>>>I use a handler that can find the extension( using  util.FieldStorage(req))
>>>but it does not stop uploading in progress but uploads the whole file
>>Create a FieldStorage instance, and pass it the callbacks for file 
>>processing. You'll be called while the file stream is being read, and 
>>you can check the extension at that time.
> As pointed out above though, if the extension is being derived from the
> filename attribute of the Content-Disposition header within a part of the
> multipart/mixed body of the POST request, this means that req.read() would have
> had to have been called and so none of the above applies and the client has had
> to send some of the data anyway.
> All you can achieve by using the file callbacks is to detect that the extension
> is unacceptable before the client has sent too much data by sending back
> the error response. You can't stop all of it being sent and how much will still
> be sent will depend a bit of buffering within the network, by Apache and how
> big a chunks of data FieldStorage consumes in one go.
> Graham
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list