Hi Mike,
As for ASP.NET file uploading, so far when we get the chance to inspect the
Request's properties(such as content length or othe headers), the post
data(form entries or binary content if use mult-part form) should have been
transmit to server-side. And the ASP.NET maxRequestLength and it's too late
to prevent uploading large size data. The ASP.NET maxRequestLength should
be checking the upload stream size a bit ealier, but still can only detect
the problem after the certain size of data(of the maxRequestLength) has
been uploaded to server. So far I'm afraid there hasn't any good approach
for web page based upload program since we haven't much control at the
client-side(such as checking the file size before posting/uploading). If
some rich client based component is allowed for your scenario, you may
consider using some ActiveX or IE hosted .NET control to perform file
upload since that can check file size in advance.
BTW, for setting <httpRuntime ....for different pages, you can also use
the <locationelement in web.config instead of putting different pages
into different sub folders:
#location Element (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/b6x6shw7.aspx
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: =?Utf-8?B?TWlrZSBLcmFsZXk=?= <mk*****@community.nospam>
Subject: Programmable limits on upload size
Date: Mon, 28 Apr 2008 18:27:20 -0700
>
In my ASP.NET application, I'd like to set limits on the maximum size of
an
>uploaded file. Normally I'd just
set the maxRequestLength of the httpRuntime element in web.config. But in
this case, I have a few different
aspx pages and I want the limit set differently for each. Yes, I could put
each in its own folder, each with
its own web.config, but that is rather awkward for this application.
Alternatively, I could leave the limit set in web.config to the largest
limit, and then in the other pages,
do my own checking, throwing an error if the ContentLength was too large.
But if the goal here is preventing a DOS attack on my server by someone
who
>is uploading lots of giant files,
maybe this is too late. That is, by the time my code gets to run, maybe
the
>content is already all uploaded
and has consumed the server resources. I'd rather be able to stop things
earlier in the process.
Looking at some Reflector code, it appears that the method
Request.GetEntireRawContent is actually doing the
reading of the input stream, and this is called very early in page
handling,
>by the first reference to the
Form contents. But I'm not sure I'm reading this correctly. If I look at
Request.InputStream at PageLoad
time, it says that it is still at position 0. Does that mean that the
content really hasn't been streamed in
yet?
Also I wonder what I can trust. The simple thing is just to check
Request.ContentLength, but I assume that a
bad guy can just fake that to be a small number. Is the InputStream length
a
>real number that can be trusted?
Any suggestions would be appreciated.
--
...Mike
