tags:

views:

166

answers:

2
+6  Q: 

How can I limit the size of HTTP POST requests in mod_perl?

Hi,

I'm working on a page which accepts file uploads. In theory, I can detect when the file they're sending me is too big (by looking at the Content-Length of their response), and refuse to accept the upload, returning an HTTP 413 "Request Entity Too Large" error.

However, it seems that simply doing that is not enough -- Firefox, at least, will still keep sending the rest of the file (which could take a Long Time), before it shows my error page.

The HTTP spec says that I: "MAY close the connection to prevent the client from continuing the request." However, doing either a 'close STDIN', 'shutdown STDIN, 0', or some variant of that does not seem to do the trick -- Firefox still keeps sending the file.

I suspect that, when my mod_perl handler closes the connection, it's just closing the connection between itself and Apache; Apache keeps the connection between it and the client alive. Is there some way to tell Apache to shut down the connection? Otherwise, this seems like a great DoS vector.

Any suggestions would be welcome.

+5  A: 

Have you explored Apache's limitation capabilities (as opposed to Perl's)? I don't know in details how the LimitRequestBody directive deals with requests that too large, but at least in theory it looks like a setting designed to block off attacks.

Pekka  2009-12-11 20:21:14
+1  A: 

Yes, it doesn't matter what Perl does with STDIN or STDOUT, Apache will still allow the upload to proceed before it even checks what happens with your CGI. You can close STDIN or STDOUT or even exit() (although you can't do that since your process is persistent), but none of that will have any effect until after Apache is done accepting the POST request in its entirety. Likewise with any kind of status headers you might generate, such as a 413 for "Request too large".

Hence, you need to have Apache refuse POST requests beyond a certain size for this to work, for example using LimitRequestBody as suggested by Pekka.

Adam Bellaire  2009-12-11 21:12:07
mod_cgi and mod_perl are different modules.
Alexandr Ciornii  2009-12-12 11:54:58
@Alexandr: Yes... ? I'm sorry, I don't follow.
Adam Bellaire  2009-12-12 12:35:40

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP