views:

436

answers:

2

How to limit file size in uploads in Apache Wicket version 1.4?

I am using FileUploadField to handle upload with normal form submit without any Ajax stuff. Is it enough to use Form.setMaxSize() to limit the size of uploaded file?

If too large file is uploaded, the browser will upload the whole file and Wicket will create validation error message with key [form-id].uploadTooLarge.

But how Wicket internally handles this situation, creating temporary files etc?

I'd like to prevent a case where user uploads file of several GBs that doesn't fit to memory or disk while Wicket handles the request.

+2  A: 

The documentation on Form says:

In case of an upload error two resource keys are available to specify error messages: uploadTooLarge and uploadFailed ie in [page].properties [form-id].uploadTooLarge=You have uploaded a file that is over the allowed limit of 2Mb

My guess is those get fired in form submit validation.. Have you tried to see if this is the case?

Tim
+2  A: 

I did some digging in the wicket svn and found that the file is actually written to disk by FileUploadBase.parseRequest(RequestContext ctx). This class checks the file size before writing any of it to disk.

The file size check ultimately uses javax.servlet.ServletRequest.getContentLength() to determine the size of the file, which means the actual implementation varies based on what servlet container you use; but, I'd say it's safe to assume that anyone who has written a servlet implementation knew enough to get the file size from the header instead of writing the whole thing to disk and then checking its size. So, you do not have to worry about folks trying to upload huge files using up all your disk space.

perilandmishap
Suppose someone forges the Content-Length header to be a small value and uploads much larger file in same request?
Juha Syrjälä
I don't see anything in the code to prevent this, but that is hardly authoritative. Also, it looks like the implementation has changed some between 1.3.5 and 1.4. I suppose the thing to do is write a proof of concept for the exploit you have in mind and see if it works. You might also hit up the user mailing list ( http://wicket.apache.org/community.html#Community-Mailinglists )- the developers monitor it, and in my experience are very responsive.
perilandmishap