问题
My website would like users to upload their photos...but how do I keep our server safe from harm? Allowing only JPGs should avoid virus trouble, but what if someone selects a 10Gb file - will that slow the whole website down?
We're using Classic ASP and IIS6 (sorry, but that's how it is, can't change that!). Previously we have used a DLL from a company called Persits to handle uploads. However, it would be helpful to other people if we extend this discussion to other languages/technologies too.
ASPs cannot detect the size of a file until it has finished uploading, so thats a pain. Or can I check content-length in the HTTP header before I start the transfer?
Q1. Are there any other ways someone could abuse the upload facility?
Q2. How can I limit the danger to keep the site running and the server safe?
Thank you.
回答1:
In Persists, you can set the maximum filesize a user can upload:
Upload.SetMaxSize 100000, True
The "True" above shows that the file is to be rejected if over the Max size. If set to False then the file will be trucated.
See http://www.aspupload.com/object_upload.html#SetMaxSize
回答2:
If you were using ASP.Net you can specify a maximum size of file in web.config (or machine.config), and ASP.Net will throw an error after the size is exceeded in the upload. That is to say, if you specify a limit of 4Mb, and someome tries to upload a 100Mb, .Net will complain as soon as it has uploaded more than 4Mb.
The property in question is maxRequestLength, which accorsing to MSDN "Specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server."
For example.
<configuration>
<system.web>
<httpRuntime maxRequestLength="4000" ....
I am not sure if there is an equivalent in classic ASP though.
回答3:
There is a great component that uses Flash to upload files. Check it out
http://www.codeproject.com/KB/aspnet/FlashUpload.aspx
回答4:
This appears to enforce file upload size: http://www.aspupload.com/
I am not sure how it handles it.
回答5:
I've just found an article on how to limit size using a setting called 'AspMaxRequestEntityAllowed' in IIS: http://www.banmanpro.com/support2/File_Upload_limits.asp
However, it doesn't work - my server already has that setting at 200k and yet we are currently uploading 1Mb files ok!
回答6:
You can reject the oversized requests at the IIS level before they even get to your application by using Microsoft's UrlScan tool: http://technet.microsoft.com/en-us/security/cc242650.aspx
For IIS 6, it looks like you may not even need that. You should be able to set the MaxRequestEntityAllowed and ASPMaxRequestEntityAllowed metabase properties to your desired maximum value and the requests will be cut off at that point.
来源:https://stackoverflow.com/questions/786507/uploading-photos-how-can-i-keep-our-website-safe-stable