Q about security and maxTotalFileSize

Options

Previous Topic Next Topic

jen User Profile View All Posts by User View Thanks		#1 Posted : Monday, December 19, 2005 9:37:14 AM(UTC)
Rank: Member Groups: Member Joined: 12/12/2005(UTC) Posts: 11		Hi, Restriction rules are set client side so a mailcious user can easily bypass these, and as your documentation correctly states these limitations are for the convenience to the user. My question is, is there a way to break out of the upload, if server side we detect that the user is above his upload limit? Im uploading files one at a time and checking to see server side if the user is above the limit. If the user is above the limit, the file correctly doesnt save. What I would like to do is break out of the upload once it is determined that the user is above the limit. But Im not sure how to break out of the upload. Right now when the user is over the limit file doesnt save but I cant break out of the upload, so if there are 100 files, and the user is over the limit on the 2nd file, bandwidth is still being consumed as the other 98 files will still be downloaded (even though server side they wont be saved). I would like to break out of the upload as soon as I determine the user is over the limit. What do you recommend (im using asp.net) ? Is it possible to break out of the upload? Thankyou

jen User Profile View All Posts by User View Thanks		#2 Posted : Wednesday, December 21, 2005 7:41:25 AM(UTC)
Rank: Member Groups: Member Joined: 12/12/2005(UTC) Posts: 11		Hi, I need to solve this problem before I can move on, I submitted a response problem. Im also pasting the Q here, as it may be help to others, or perhaps others can help me on this, and I believe my initial post may not have been clear. ImageUploader: Restriction rules are set client side so a mailcious user can easily bypass these, and as your documentation correctly states these limitations are for the convenience to the user. So a mailicious user can upload 1000+ files, so server side checking needs to be done to prevent any extra files being uploaded: I have done this, on server side the files are not saved if the user is over his download quota. These files are being uploaded/saved individually. Q: Is there a method or can you suggest a way to break out of the upload? That is, once the user is over the limit I want to break out of the upload? Im using asp.net I tried Response.Redirect, and server.Transfer but these do not work correctly (i wasnt sure what else I could do). Can you please advise me on how to correctly break out of the download. If there is no way to break out of the download what is stopping a mailicous user from uploading 1000+ files. Even though we can check server side, and not save the files, bandwidth will still be consumed on the server as we iterate these 1000+ files. Thanks for any help.

Alex Makhov User Profile View All Posts by User View Thanks		#3 Posted : Wednesday, December 21, 2005 11:20:09 AM(UTC)
Rank: Advanced Member Groups: Member Joined: 8/3/2003(UTC) Posts: 998		Hello, Sorry for the long delay. ImageUploader doesn't allow users to send too large amounts of files. This behavior is controlled via MaxFileCount Property, MaxFileSize Property, MaxTotalFileSize Property and a couple of new properties: MaxImageWidth Property and MaxImageHeight Property. What additional restrictions do you need? Edited by user Sunday, February 17, 2008 5:18:41 PM(UTC) \| Reason: Not specified
		Sincerely yours, Alex Makhov Follow Aurigma on Twitter!

jen User Profile View All Posts by User View Thanks		#4 Posted : Wednesday, December 21, 2005 12:05:00 PM(UTC)
Rank: Member Groups: Member Joined: 12/12/2005(UTC) Posts: 11		Hi Alex, Yes, but those are client side restrictions, a mailicous user can easily bypass client side restrictions. Even your own documentation states this: http://www.aurigma.com/d...orFilesNumberandSize.htm The 4th paragraph states: "One more important notice: as these limitations are only client-side checks, you should not treat them as protection for your server. Since the malicious users can pass them around, e.g. by creating a local copy of this page and modifying of all the parameters, you should always check uploaded data on the server side. That's why use these limitations only for the convenience of the user" --- So, we if we determine that the user has uploaded more than his quota server side, then how can we break out of the upload? Any ideas on what to do? Thankyou ======================================================== 02/18/2008, Fedor If you will find during server-side upload processing that user tries to bypass client side restrictions, then you can just break HTTP connection. For example in ASP.NET it can be done using Response.End(). ======================================================== Edited by user Wednesday, October 29, 2008 1:40:57 PM(UTC) \| Reason: Not specified

Users browsing this topic
Guest

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.