Preventing upload of large files in ASP.NET 4.0

Question

We'd like to restrict the maximum upload file size in our web site. We've already set the appropriate limits in our web.config. The problem we're encountering is if a really large file (1 GB, for example) is uploaded, the entire file is uploaded before a server-side error is generated, and the type of the error is different whether the file is huge or not.

Is there a way to detect the size of a pending file upload before the actual upload takes place?

Here's my relevant web.config settings that restrict requests to 16 MB:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <httpRuntime maxRequestLength="12288"/>
    </system.web>

    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="12582912"/>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

I've tried creating an HTTP module so I could intercept a request early in the request lifecycle, but the uploads seem to take place even before the BeginRequest event of HttpApplication:

public class UploadModule : IHttpModule
{
    private const int MaxUploadSize = 12582912;

    public void Init(HttpApplication context)
    {
        context.BeginRequest += handleBeginRequest;
    }

    public void Dispose()
    {
    }

    private void handleBeginRequest(object sender, EventArgs e)
    {
        // The upload takes place before this method gets called.

        var app = sender as HttpApplication;

        if (app.Request.Files.OfType<HttpPostedFile>()
            .Any(f => f.ContentLength > MaxUploadSize))
        {
            app.Response.StatusCode = 413;
            app.Response.StatusDescription = "Request Entity Too Large";
            app.Response.End();
            app.CompleteRequest();
        }
    }
}

Update:

I know that client-side technologies like Flash can detect file sizes before upload, but we need a server-side workaround because we're wanting to target platforms that have no Flash/Java/ActiveX/Silverlight support. I believe that IIS or ASP.NET has a bug that's allowing large files to be uploaded despite the limits, so I've filed a bug here.

Would an ISAPI extension give me more control over request processing than HTTP modules and handlers, such as allowing me to abort an upload if the Content-Length header is seen to be larger than the allowed limit?

Answer 1

Is there a way to detect the size of a pending file upload before the actual upload takes place?

No. That would require access to the file size on the client. Allowing a web server direct access to files on the client would be a bit dangerous.

Your best bet is to place a line of text stating the maximum allowed file size.

OR you could create some sort of ActiveX control, hava applet, etc so that you're not dependent on browser restrictions. Then you have to convince your users to install it. Probably not the best solution.

Answer 2

The problem is that the upload happens all at once using the HTTP Post request so you can only detect it after it's done.

If you want more control over this you should try Flash based upload widgets which have this and more. Check out this link http://www.ajaxline.com/10-most-interesting-upload-widgets