How to find uploaded data size from content-length

[Asterbing]

I thought the whole point was to avoid extracting the
data in the first place.

Right Effectively, I've taken an example of 1MB limit, but it could
be 10MB (or 10KB but it's another discussion). So, if it's 10MB and
client send CONTENT_LENGTH in its request (which is not always the
case), I would like to check it, then deduct the file size and stop
everything in case of limitation overflow.

You have enough memory to load a 1 MB of non-file-upload form-data into
memory, but not enough disk to temporarily save 1 MB of file-upload data?
That just doesn't make sense.

See what I say just above

Having said that, you could hack/subclass the read_multipart method
of CGI.pm to have it, at a certain size, stop copying the data into the
file, something like:

So, here, I understand CGI.pm stop the things during file server
copying, not about STDIN fill-in

 

[Asterbing]

Don't read from stdin. Read from the filehandle you get from CGI.pm.

I don't use CGI.pm

 

[Asterbing]

The server isn't receiving data from stdin, it's receiving it from a net-
work connection.

I didn't write "from", but "to".

It doesn't make the client stop sending data, it just ignores anything
beyond POST_MAX.

However, when CONTENT_LENGTH is not sent by client, server has to
compute it from real data found in STDIN, then in this case, it doesn't
stop anything but just avoid to write on server disk.

It can and does stop receiving data. Your confusion is the result of
thinking that it *also* causes the client to stop *sending* data.

If CONTENT_LENGTH comes from client, yes. But, when computed by server
from STDIN content, no.

 

[Asterbing]

[quoted text muted]

That should probaby be changed. It does not immediately exit with
an error message. It first reads (and discards) the entire contents
of the POST, which apparently the OP doesn't want to happen

It would make sense to me to send an error message, close the connection, and exit.
Otherwise, a DoS attack indeed keeps streaming bits to the server.

I didn't write this. You quote 'Asterbing' but it wasn't written by
Asterbing in the referenced post.

 

[Asterbing]

Why? Look how "they" do it, and copy it.

I've seen and rewritten my own. A matter of courtesy to not 'copy' : in
my mind, two ways only : I use a module or I just take a look of their
algorithm (idea), but never copy (steal)

Good question, set it to 50KB, and check the actual filesize.

Good idea : quite empirical, but not seen better around

 

[Asterbing]

Do you really consider 5KB to be a denial of service attack?

Set one limit on the whole post of, say, 10MB, to prevent DoS attacks.
If the size is over 10MB, send a nasty message about DoS not being welcome.
If it is under 10MB, process it, save the upload to a temp file, and
check its size. If the size is more than 5KB, send a polite message
saying the file was a tad too big, and delete the temp file. Otherwise,
do whatever it is you want to do.

Well, since I've parsed STDIN at this I'm ready to write in a tmp server
file, I've the file size before to even write to disk. I think it's the
way I'll do it.

Thanks for all your opinions

 

[Denver]

I didn't write this. You quote 'Asterbing' but it wasn't written by
Asterbing in the referenced post.

Then your Gravity news agent is messed up or you miscounted the nesting wakas.
The attributions and text are correctly nested in what I posted.

 

[Keith Keller]

I've seen and rewritten my own. A matter of courtesy to not 'copy' : in
my mind, two ways only : I use a module or I just take a look of their
algorithm (idea), but never copy (steal)

Copying isn't stealing if you're allowed to do it. Just don't
redistribute your program without also distributing the source.

--keith

 

[Sherm Pendley]

I don't use CGI.pm

Why on earth not? Do you enjoy pain?

sherm--

 

[Sherm Pendley]

I've seen and rewritten my own. A matter of courtesy to not 'copy' : in
my mind, two ways only : I use a module or I just take a look of their
algorithm (idea), but never copy (steal)

I suppose you rewrote perl too, using a C compiler you rewrote? What about
the web server, and the operating system? You wouldn't want to "steal" those
either, now would you?

Idiot.

*plonk*

sherm--

 

[John Bokma]

I suppose you rewrote perl too, using a C compiler you rewrote? What
about the web server, and the operating system? You wouldn't want to
"steal" those either, now would you?

Idiot.

Not really: he wrote: I either use the full product (in your example perl,
c compiler, web server. In his example CGI.pm) *or* I write my own, and
when possible I look at their source, but I don't copy it 1:1. Doesn't
sound like an idiot to me. At least he takes the time to study someone
else's code.

*plonk*

Uncalled for IMO. Also how many people are interested in the status of
your kf?

 

[Asterbing]

Why on earth not? Do you enjoy pain?

Not pain, enthousiasm

 

[Asterbing]

Then your Gravity news agent is messed up or you miscounted the nesting wakas.
The attributions and text are correctly nested in what I posted.

My Gravity show me this about your post I told about :

--- BEGIN COPIE ---

[quoted text muted]

That should probaby be changed. It does not immediately exit with
an error message. It first reads (and discards) the entire contents
of the POST, which apparently the OP doesn't want to happen

--- END COPIE ------

 

[Asterbing]

Copying isn't stealing if you're allowed to do it. Just don't
redistribute your program without also distributing the source.

Don't know if the author(s) of CGI.pm allow this. However, about Perl,
source is always visible, by design.

 

[Asterbing]

I suppose you rewrote perl too, using a C compiler you rewrote? What about
the web server, and the operating system? You wouldn't want to "steal" those
either, now would you?

Irrelevant : C is not an interpreted language !

 

[Asterbing]

Not really: he wrote: I either use the full product (in your example perl,
c compiler, web server. In his example CGI.pm) *or* I write my own, and
when possible I look at their source, but I don't copy it 1:1. Doesn't
sound like an idiot to me. At least he takes the time to study someone
else's code.

Thanks John : we're at least two ;-) ... No, sure we're a lot

 

[John Bokma]

Irrelevant : C is not an interpreted language !

http://www.google.com/search?q=C interpreter

 

[Denver]

Then your Gravity news agent is messed up or you miscounted the nesting wakas.
The attributions and text are correctly nested in what I posted.

My Gravity show me this about your post I told about :

--- BEGIN COPIE ---

[quoted text muted]

That should probaby be changed. It does not immediately exit with
an error message. It first reads (and discards) the entire contents
of the POST, which apparently the OP doesn't want to happen

--- END COPIE ------

That certainly is not what I posted.
Nonetheless, it is quite clear from that that anything that Asterbing wrote is preceded by ">>" not by ">>>".

 

[Dr.Ruud]

Asterbing schreef:

DBraughler:

Asterbing:

[attribution repaired] xhoster:
[quoted text muted]

That should probaby be changed. It does not immediately exit with
an error message. It first reads (and discards) the entire
contents of the POST, which apparently the OP doesn't want to
happen

It would make sense to me to send an error message, close the
connection, and exit. Otherwise, a DoS attack indeed keeps streaming
bits to the server.

I didn't write this. You quote 'Asterbing' but it wasn't written by
Asterbing in the referenced post.

Do you mean the "[quoted text muted]"? I guess that's put there by a
bot.

Text between "[]" is commonly a witty summary of what the poster chose
to read in what a previous poster wrote.

 

[Dr.Ruud]

Asterbing schreef:

C is not an interpreted language !

I don't see why not. It is also a great language for writing scripts in:
http://www.tinycc.org