durusmail: quixote-users: upper size limit on POST data?
widget repository for Quixote
2004-05-16
Ksenia Marasanova
2004-05-16
Jason E. Sibre
form2 and file upload (FileWidget)
2004-05-17
Charles Brandt
2004-05-17
Jason E. Sibre
upper size limit on POST data?
2004-05-18
Charles Brandt
2004-05-18
Jason Sibre
2004-05-18
Evan LaForge
2004-05-18
Charles Brandt
upper size limit on POST data?
Jason Sibre
2004-05-18
Quoting Charles Brandt :

> Is there a way to limit the maximum size of data submitted in a POST in
> Quixote?  Maybe the right answer is to just use Apache's LimitRequestBody
> configuration?

I assume you're concerned about some kind of DoS, or the like... My answer
reflects that assumption.  Maybe someone else can shed some more light on this,
but...

...the short answer is no.

The longer answer is:
>From Quixote?  No.  At least, not before it's too late.  Even if there is a
config  directive to that effect (and I don't remember there being one), by the
time Qx gets the data, the 'request' portion of the request is complete from
the client's perspective.  I.e., all the data has already been sent (and
received by the server) - it's already completely in your server's RAM.  It
hasn't been written to disk yet, (Qx will do that), but odds are, your RAM is
more precious than disk space.

Worried about one request keeping your single process SCGI app busy while your
[possibly] slow network connection digests a 75MB POST?  Don't be.   Unless the
connection between the web server and the SCGI server is slow also.  Then maybe
you should, but I don't know for sure (I don't use SCGI, and only have a rough
understanding of how it works).  Apache won't fire the SCGI request until it
has received the whole request from the client.  FastCGI.  Same deal, don't
worry about it.  Not a problem.  CGI is also not a problem, but that's probably
obvious, becuase then it's no longer a single process.

Worried about one request hogging your bandwidth for a while?  That could be a
problem, but again, from the Qx side, there's nothing you can do about it.
>From the Apache side, there might be: I don't know if LimitRequestBody will
work before the request is completed... If it does, it would be because it's
looking at the client's specified content-length, which means broken / stupid /
old / malicious clients may not provide it...  i.e., no protection from
DoS.

If you're using mod_python, there *may* be something you could do, since
mod_python lets you install handlers for all portions of the request, but it
wouldn't be part of Quixote or your apache config at this point, it'd be some
custom handling code...  Probably not too difficult to do, if it's possible.
Just sniff the content-length header and if you don't like what you smell, tell
Apache to dump it.  I don't know if that's possible though.  I've only skimmed
those docs, and it's been a while.

Or is there some other reason you want to do this?
reply