tags:

views:

436

answers:

2
+1  Q: 

How to limit upload file size in Wicket

How to limit file size in uploads in Apache Wicket version 1.4?

I am using FileUploadField to handle upload with normal form submit without any Ajax stuff. Is it enough to use Form.setMaxSize() to limit the size of uploaded file?

If too large file is uploaded, the browser will upload the whole file and Wicket will create validation error message with key [form-id].uploadTooLarge.

But how Wicket internally handles this situation, creating temporary files etc?

I'd like to prevent a case where user uploads file of several GBs that doesn't fit to memory or disk while Wicket handles the request.

+2  A: 

The documentation on Form says:

In case of an upload error two resource keys are available to specify error messages: uploadTooLarge and uploadFailed ie in [page].properties [form-id].uploadTooLarge=You have uploaded a file that is over the allowed limit of 2Mb

My guess is those get fired in form submit validation.. Have you tried to see if this is the case?

Tim  2009-11-30 16:19:49
+2  A: 

I did some digging in the wicket svn and found that the file is actually written to disk by FileUploadBase.parseRequest(RequestContext ctx). This class checks the file size before writing any of it to disk.

The file size check ultimately uses javax.servlet.ServletRequest.getContentLength() to determine the size of the file, which means the actual implementation varies based on what servlet container you use; but, I'd say it's safe to assume that anyone who has written a servlet implementation knew enough to get the file size from the header instead of writing the whole thing to disk and then checking its size. So, you do not have to worry about folks trying to upload huge files using up all your disk space.

perilandmishap  2009-12-04 00:16:36
Suppose someone forges the Content-Length header to be a small value and uploads much larger file in same request?
Juha Syrjälä  2009-12-04 07:45:53
I don't see anything in the code to prevent this, but that is hardly authoritative. Also, it looks like the implementation has changed some between 1.3.5 and 1.4. I suppose the thing to do is write a proof of concept for the exploit you have in mind and see if it works. You might also hit up the user mailing list ( http://wicket.apache.org/community.html#Community-Mailinglists )- the developers monitor it, and in my experience are very responsive.
perilandmishap  2009-12-07 20:13:22

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.