This is a bit of an HTML/Webserver/cgi question:
For a while now I've been struggling with a way of allowing website visitors to upload files. I am not so bothered about the script which receives the data as I know how to do this but I have noticed problems if the user decided to upload a big file.
Basically, the entire file appears to be sent to the server from the user's computer before anything else, so even if the cgi script in the ACTION parameter of the FORM tag does not exist you still get the whole file transferred before getting a 404.
For example:
<FORM ACTION=" ENCTYPE="Multipart/form-data" METHOD="POST">
<INPUT TYPE="file" NAME="filename"><BR>
<INPUT TYPE="submit">
</FORM>
I select a 200MB file and hit submit - immediately my upstream network traffic starts counting at about a MB a second until I press the stop button.
I have tried changing the ACTION parameter to point at another machine on my network and this time I can see that the target server is also receiving the data.
This is rather annnoying since I can't get my site to reject large files without receiving the whole file on stdin first. I think you can specify a size parameter in the INPUT TYPE="file" tag, but that wont stop a determined user creating their own html (as above). I'd prefer to perform these sorts of checks server-side.
Any ideas? Even if I can just block attempts to run cgi's from other domains it might be enough.
Thanks in advance.
For a while now I've been struggling with a way of allowing website visitors to upload files. I am not so bothered about the script which receives the data as I know how to do this but I have noticed problems if the user decided to upload a big file.
Basically, the entire file appears to be sent to the server from the user's computer before anything else, so even if the cgi script in the ACTION parameter of the FORM tag does not exist you still get the whole file transferred before getting a 404.
For example:
<FORM ACTION=" ENCTYPE="Multipart/form-data" METHOD="POST">
<INPUT TYPE="file" NAME="filename"><BR>
<INPUT TYPE="submit">
</FORM>
I select a 200MB file and hit submit - immediately my upstream network traffic starts counting at about a MB a second until I press the stop button.
I have tried changing the ACTION parameter to point at another machine on my network and this time I can see that the target server is also receiving the data.
This is rather annnoying since I can't get my site to reject large files without receiving the whole file on stdin first. I think you can specify a size parameter in the INPUT TYPE="file" tag, but that wont stop a determined user creating their own html (as above). I'd prefer to perform these sorts of checks server-side.
Any ideas? Even if I can just block attempts to run cgi's from other domains it might be enough.
Thanks in advance.