ep's blog :: How to stop big file upload (Enemy at the gate) with Apache mod

Main Page

Ruby on Rails

Photos

Be aware: Scam, scam, scam

Smile

Main Page

Previous:	Scam with elements of social engineering. Be aware
Next:	New Scam (and possible Identity theft) from pretend to be "Hartman International Co. Ltd"

How to stop big file upload (Enemy at the gate) with Apache mod_rewrite

by ep on Mon 26 Nov 2007 07:02 PM EST | Permanent Link | Cosmos

Apache 2
ModRewrite
Ruby on Rails

When you have a form to upload a file, you may want to limit the file size. If you check for the size within the application - we have already lost the battle.

The better way (IMHO) is to use Apache ModRewrite to check for the size of a POST request and redirect with GET to error handling action

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP:Content-type} multipart/form-data
RewriteCond %{HTTP:Content-length}  >500000
RewriteRule ^(.*?)$ %{REQUEST_URI}?form_data_too_big=on [R=303,L]

How it works

Only POST requests
Only mutipart/form-data POST
Check HTTP Request header against limit. Add MIME envelop overhead (5Kb for example)
Redirect with GET to the same URL with one parameter

Let say you have a controller with action process_upload, and the URL for the action is http://www.myserver.tld/file/process_upload.

def process_upload
  if request.get? && params[:form_data_too_big]
    return error_response_for_file_to_big
  end
 ....
end

In that way you can work with respond_to_parent or json or javascript

Keywords: rewriterule, rewritecond, apache

Posted to:

Main Page

Comments

Post a comment

Re: How to stop big file upload (Enemy at the gate) with Apache mod_rewrite

by Anonymous on Wed 19 Dec 2007 08:11 PM EST | Permanent Link

I tried your setting. It does not disconnect the client immediately but waits until the entire file uploaded. Do you have any other suggestion?

Re: Re: How to stop big file upload (Enemy at the gate) with Apache mod_rewrite

by ep on Thu 20 Dec 2007 12:49 PM EST | Profile | Permanent Link

This is the way how Apache reads the requests. The only immediate redirect before reading the whole requests if conditions for redirect don't depend on data in request (header/body), but only IP or hostname.

If Apache would read headers only first, runs the RuleRewrite and
then only reads body , it would work, however I am not that good
at C/C++ to provide a patch to Apache.

At least your application (PHP/CGI or whatever behind) doesn't take the hit

Re: Re: Re: How to stop big file upload (Enemy at the gate) with Apache mod_rewrite

by Anonymous on Thu 20 Dec 2007 02:58 PM EST | Permanent Link

thanks for your reply. please contact me if you know any standard way to protect the resource (eg. bandwidth & processing power) against large upload. thanks.

Re: Re: Re: Re: How to stop big file upload (Enemy at the gate) with Apache mod_rewrite

by ep on Thu 20 Dec 2007 03:04 PM EST | Profile | Permanent Link

http://perl.apache.org/docs/offsite/books.html#Writing_Apache_Modules_with_Perl_and_C

Re: How to stop big file upload (Enemy at the gate) with Apache mod_rewrite

by Bogdan on Sun 25 May 2008 08:13 AM EDT | Profile | Permanent Link

For some years after the official release of the standard, the committee processed defect reports, and published a corrected version of the C++ standard in 2003. In 2005, a technical report, called the "Library Technical Report 1" was released. outsource manufacturing

Trackbacks

TrackBack URL:
http://ep.blogware.com/blog/_trackback/3377224

No trackbacks found.

Post comment:

Format Type:
	Convert newlines
	Receive comment notifications for this article
Subject:

Comment:

Comment verification:

Please enter the text you see inside the graphic to post your comment:

You are not currently logged in. If you would like your user information to be displayed with your comment, please enter your login information below.

Username:
Password:

If you would like to post contact information on your comment, please enter your information into the optional fields below:

Contact information:

Name:
URL:		example: http://yourdomain.com
Email:

Please note: email will not be displayed on the site, only for the blog owner. If logged in, URL will only be used.