My website would like users to upload their photos...but how do I keep our server safe from harm? Allowing only JPGs should avoid virus trouble, but what if someone selects a 10Gb file - will that slow the whole website down?
We're using Classic ASP and IIS6 (sorry, but that's how it is, can't change that!). Previously we have used a DLL from a company called Persits to handle uploads. However, it would be helpful to other people if we extend this discussion to other languages/technologies too.
ASPs cannot detect the size of a file until it has finished uploading, so thats a pain. Or can I check content-length in the HTTP header before I start the transfer?
Q1. Are there any other ways someone could abuse the upload facility?
Q2. How can I limit the danger to keep the site running and the server safe?
Thank you.
In Persists, you can set the maximum filesize a user can upload:
Upload.SetMaxSize 100000, True
The "True" above shows that the file is to be rejected if over the Max size. If set to False then the file will be trucated.
See http://www.aspupload.com/object_upload.html#SetMaxSize
If you were using ASP.Net you can specify a maximum size of file in web.config (or machine.config), and ASP.Net will throw an error after the size is exceeded in the upload. That is to say, if you specify a limit of 4Mb, and someome tries to upload a 100Mb, .Net will complain as soon as it has uploaded more than 4Mb.
The property in question is maxRequestLength, which accorsing to MSDN "Specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server."
For example.
<configuration>
<system.web>
<httpRuntime maxRequestLength="4000" ....
I am not sure if there is an equivalent in classic ASP though.
There is a great component that uses Flash to upload files. Check it out
http://www.codeproject.com/KB/aspnet/FlashUpload.aspx
This appears to enforce file upload size: http://www.aspupload.com/
I am not sure how it handles it.
I've just found an article on how to limit size using a setting called 'AspMaxRequestEntityAllowed' in IIS:
http://www.banmanpro.com/support2/File_Upload_limits.asp
However, it doesn't work - my server already has that setting at 200k and yet we are currently uploading 1Mb files ok!
You can reject the oversized requests at the IIS level before they even get to your application by using Microsoft's UrlScan tool: http://technet.microsoft.com/en-us/security/cc242650.aspx
For IIS 6, it looks like you may not even need that. You should be able to set the MaxRequestEntityAllowed and ASPMaxRequestEntityAllowed metabase properties to your desired maximum value and the requests will be cut off at that point.
Related
My web application allows authorised users to upload videos using the ASP.NET WebForms FileUpload web control, which in the past have been around 100-200MB. I had to obviously make some changes to the web.config so that files of this size could be uploaded.
However, the authorised users now want to upload video files which are 500MB+
The maxAllowedContentLength has now been set to 629145600 (600MB).
However, when uploading the videos, after a while the page responds with:
Page not found
This only happens with large videos, so I know this issue has something to do with the file size.
Why is this happening? And also, should I really be increasing the limit to 500MB+? Is there a better way of getting such large files onto the web server?
Check out this blog post by Jon Galloway, its a bit old but still relevant:
Large file uploads in ASP.NET
Its got answers to your questions about:
page not found
setting the correct maxAllowedContentLength
There's recommendations for various controls you can use, both free and commercial.
I've used the flash control and it worked great.
Alternative Solution
Provide an FTP area for each user to upload too.
It allows users:
easily batch upload many files (harder in the browser)
takes advantage of resume on disconnect
Then you provide a GUI for the user, to consume the files.
Have you considered using jQuery File Upload https://github.com/blueimp/jQuery-File-Upload/ there are versions available for .net and mvc (see the git hub wiki). It takes all the heart ache out of implementing large file uploads in .net and provides a lovely interface too. Since discovering this a while ago I never use anything else! I've successfully implmented a few times now and seen uploads ~2GB working successfully.
I've been trying to upload some avi files by using several methods.
First I've tried using ADOBE's ADDT "UPLOAD FILE" to upload *.avi files, everything was ok, until I've tried to upload a 131.5M video. When the size of the video is less than 40M, there's no problem, but when the video is bigger is where the problem starts. So tried different methods, jquery plugins, etc, with the same result.
The server in which the movies should upload is running under IIS7.
Making some search over the internet, I've found that the php.ini should be changed, so I have the following related values changed:
max_file_uploads:20
max_input_time:240
memory_limit:256M
post_max_size:256M
upload_max_filesize:256M
Also in the SNAPIN of IIS under "REQUEST FILTERING" I've changed the value to 300000000 (300M).
I think it has something to do with the time the upload is taking, because sometimes I can see in the temp folder a parcial upload of something between 25 and 47M
I don't think that the php upload scripts are the problem, but something on the server side.
I finally discoverd which was the problem. In php.ini was the "*max_file_uploads*". First, I double it's value, from 20 to 40, which gave me 40 minutes timeout for an upload. Then I put in 200 which gave all the time needed to complete a 131.5 MB avi upload.
After finding this (I was moving all the related parameters to see what would happen if...) I decided to check on php.net to see what was the official definition for "*max_file_uploads*" which is:
"The maximum number of files allowed to be uploaded simultaneously. Starting with PHP 5.3.4, upload fields left blank on submission do not count towards this limit.".
I'm completely confused why this worked, but my php.ini values are now this:
max_file_uploads:200
max_input_time:14400
memory_limit:1.01G
post_max_size:1G
upload_max_filesize:999M
Beside, moved in the IIS in Request Filtering in the IIS section of the server (using IIS 7 manager), the value for max allowed content length to 1GB.
Want to thank Alykhalid for the time and advices.
Did you increase the value of the max_input_time, what is the new value? Also try to increase the value of the CGI Time Out. Also look at this blog post for PHP time out issues.
I am trying to upload a 2+ GB video file using FTP . When I click “Upload” button in browser control, the page is not getting post but the status in browser is DONE. The same works fine with video files less than 2GB.
I just added one page, with browser control and one button for posting the page.
Just clicked the button, to post the page with 2gb file.
The page was not posting to server.
split the file up into smaller chunks, FTP those, and then re-combine.
MSDN
edit : You can do files up to 2GB + with ASP.NET using a third party solution that overrides the built-in request checking. This will work in all versions of IIS except IIS 7 integrated mode, which has a hard 2GB limit.
Read this
Read this : http://www.webdavsystem.com/server/documentation/upload
There are limits imposed by browsers on the amount of data you can upload in a single request.
In IE I think it is 2gb.
What are you using?
Trying to upload a large file (20MB), I set the maxRequestLength to a high enough level (and the expiration time too) in the httpRuntime entry of web.config. The Event Log stopped reporting that the post size exceeds allowed limits, but I still get the same behavior in the browser (IE or FF): "The connection to the server was reset while the page was loading." I'm using VS2008 and the built-in web server, not IIS. I've read the Q&A on this topic and even put in the check for the exception (IsMaxRequestExceededEexception) in the application global handler. This was referenced in another StackOverflow thread about this topic. Anyone had anything similar, have any ideas?
Thanks,
Bob
Not come accross this myself with the built in server, however you could try increasing the time out too in the web.config file.
<httpRuntime executionTimeout="****" maxRequestLength="****" />
Figured out my problem. I put the entry into the wrong web.config file -- I have two web apps in the same VS solution. doh!
Http uploads are notoriously unreliable. You should look into some other options that utilize Flash or Silverlight for file uploads.
In my application, I would like to upload files of size more than 3GB. I increased max file request timeout as high as possible.
But it is not even posting the page to the server when I select a 3GB file.
My web site configuration:
Asp.Net 3.5
IIS 6.0
Is it possible with the above configuration? If not what is the reason, and how do I resolve this?
I'd probably go with a FTP approach. Using FTPWebRequest - try Google for sample code.
You'll need to adjust both the timeout and request length in your web.config appropriately:
<system.web>
<httpRuntime maxRequestLength="102400" executionTimeout="360"/>
</system.web>
Of course keep in mind, a 3Gb file is going to require a lot of patience. In reality, I suggest investigating alternatives - HTTP post is not going to be pretty with files of this size.
One possibility: http://www.banmanpro.com/support2/File_Upload_limits.asp
Unfortunately adjusting the timeout and request length is not going to work. Your web server will run out of memory before the upload completes.
What you need is a file upload control that will break your upload into smaller chunks, so that you don't use all of the server's memory to hold the file while it is uploading.
One of the better file upload controls available is Darren Johnstone's ASP.NET File Upload control. This free control is a drop-in replacement for the standard ASP.NET file upload component, and is specifically designed to handle large files. It even includes a progress bar that doesn't require Flash.
Complete documentation and installation instructions are here:
http://darrenjohnstone.net/aspnet-file-uploaddownload-module-v2-documentation/
The control (and source code) can be downloaded here:
http://darrenjohnstone.net/downloads/