Issue 2551266: Support limiting POST (file upload) size

classification

Title:	Support limiting POST (file upload) size
Type:	behavior	Severity:	normal
Components:	Web interface	Versions:

process

Status:	new	Resolution:
Dependencies		Superseder:
Assigned To:		Nosy List:	rouilj
Priority:		Keywords:	Effort-Low

Created on 2023-02-27 14:29 by rouilj, last changed 2023-02-27 14:29 by rouilj.

Messages
msg7735	Author: [hidden] (rouilj)	Date: 2023-02-27 14:29
With the cgi module you can limit the size of a POST request used for uploading files. import cgi # Maximum input we will accept when REQUEST_METHOD is POST # 0 ==> unlimited input cgi.maxlen = 10 * 1024 * 1024 # 10MB (https://webpy.org/cookbook/limiting_upload_size) If there is just one file uploaded, this places a maximum size limit on the file. Roundup can attach multiple files in one POST request. So this isn't really useful for limiting the attached file size. An auditor is a better choice to limit attached file size. However this can be a good defense against a DOS attack for large POST requests that try to eat all the disk space or memory while handling the POST. I suggest adding the setting to the [web] section of the configuration file. Default value of 0 (no limit, same as current). I think megabyte units make sense for this. Make value a floating point number, so you can express kb, bytes etc. if needed. Value is converted to bytes for use internally.

msg7735

Author: [hidden] (rouilj)

Date: 2023-02-27 14:29

With the cgi module you can limit the size of a POST request used for uploading files.

   import cgi

   # Maximum input we will accept when REQUEST_METHOD is POST
   # 0 ==> unlimited input
   cgi.maxlen = 10 * 1024 * 1024 # 10MB

(https://webpy.org/cookbook/limiting_upload_size)

If there is just one file uploaded, this places a maximum size limit
on the file. Roundup can attach multiple files in one POST request.
So this isn't really useful for limiting the attached file size.
An auditor is a better choice to limit attached file size.

However this can be a good defense against a DOS attack for large POST
requests that try to eat all the disk space or memory while handling
the POST.

I suggest adding the setting to the [web] section of the configuration
file. Default value of 0 (no limit, same as current). I think megabyte
units make sense for this. Make value a floating point number, so you
can express kb, bytes etc. if needed. Value is converted to bytes for
use internally.

History
Date	User	Action	Args
2023-02-27 14:29:32	rouilj	create

Roundup Tracker - Issues

Issue 2551266