Is it possible to prevent an user from uploading a huge file, before it''s actually uploaded? I am using file_column(assuming it matters). Thanks, Bogdan _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
With file_column, I only allow unauthenticated users to upload images (using my image patch). Then I resize for them on upload with imagemagick. This takes care of the storage problem. I could, and maybe should add a file_column max_size validation. I''ll think about doing it when I''m less swamped. The simple solution, which is mostly a convienience for the user (and is easily circumvented by a malicious user) is from the PHP docs: <form enctype="multipart/form-data" action="__URL__" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="MAX_FILE_SIZE" value="30000" /> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" type="file" /> <input type="submit" value="Send File" /> </form> The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted. This is an advisory to the browser... Fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. On 10/4/05, Bogdan Ionescu <bogdan.ionescu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Is it possible to prevent an user from uploading a huge file, before it''s > actually uploaded? > I am using file_column(assuming it matters). > > Thanks, > Bogdan > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > >
On 5-okt-2005, at 0:52, Kyle Maxwell wrote:> With file_column, I only allow unauthenticated users to upload images > (using my image patch). Then I resize for them on upload with > imagemagick. This takes care of the storage problem. > > I could, and maybe should add a file_column max_size validation. I''ll > think about doing it when I''m less swamped. > > The simple solution, which is mostly a convienience for the user (and > is easily circumvented by a malicious user) is from the PHP docs:But will it stop the file from getting _into_ rails (CGI listener) in it''s whole in the first place? Is the thing even buffered (leaving WeBRICK aside for a second). -- Julian "Julik" Tarkhanov
On my system, the uploads are buffered into the /tmp directory as CGI<pid>.<n> File_column works with pointers to files in the filesystem, so its not like you''ll be carrying 10MB files around in memory. You can limit the general upload size with Apache/lighty directives, i.e.: #Apache LimitRequestBody 102400 On 10/4/05, Julian ''Julik'' Tarkhanov <listbox-RY+snkucC20@public.gmane.org> wrote:> > On 5-okt-2005, at 0:52, Kyle Maxwell wrote: > > > With file_column, I only allow unauthenticated users to upload images > > (using my image patch). Then I resize for them on upload with > > imagemagick. This takes care of the storage problem. > > > > I could, and maybe should add a file_column max_size validation. I''ll > > think about doing it when I''m less swamped. > > > > The simple solution, which is mostly a convienience for the user (and > > is easily circumvented by a malicious user) is from the PHP docs: > > But will it stop the file from getting _into_ rails (CGI listener) in > it''s whole in the first place? Is the thing even buffered (leaving > WeBRICK aside for a second). > -- > Julian "Julik" Tarkhanov > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Is <input type="hidden" name="MAX_FILE_SIZE" value="30000" /> some sort of undocumented feature? Does it work on most browsers? Actually I did see that on phpBB, but I did not think it would actually help. Thanks, Bogdan On 10/5/05, Kyle Maxwell <kyle-FOSOgQihYpQjo0HpFSRKWA@public.gmane.org> wrote:> > With file_column, I only allow unauthenticated users to upload images > (using my image patch). Then I resize for them on upload with > imagemagick. This takes care of the storage problem. > > I could, and maybe should add a file_column max_size validation. I''ll > think about doing it when I''m less swamped. > > The simple solution, which is mostly a convienience for the user (and > is easily circumvented by a malicious user) is from the PHP docs: > > <form enctype="multipart/form-data" action="__URL__" method="POST"> > <!-- MAX_FILE_SIZE must precede the file input field --> > <input type="hidden" name="MAX_FILE_SIZE" value="30000" /> > <!-- Name of input element determines name in $_FILES array --> > Send this file: <input name="userfile" type="file" /> > <input type="submit" value="Send File" /> > </form> > > The MAX_FILE_SIZE hidden field (measured in bytes) must precede the > file input field, and its value is the maximum filesize accepted. This > is an advisory to the browser... Fooling this setting on the browser > side is quite easy, so never rely on files with a greater size being > blocked by this feature. > > On 10/4/05, Bogdan Ionescu <bogdan.ionescu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > Is it possible to prevent an user from uploading a huge file, before > it''s > > actually uploaded? > > I am using file_column(assuming it matters). > > > > Thanks, > > Bogdan > > > > > > _______________________________________________ > > Rails mailing list > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > > >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails