You can use Apache's LimitRequestBody directive to restrict the size of accepted uploads.
http://groups.google.com/group/django-users/browse_thread/thread/ca95963aaa33ce1e On 8/5/06, Todd O'Bryan <[EMAIL PROTECTED]> wrote: > The way Django ships, isn't it possible for a user to hijack the > server by uploading HUUUGE files? Because the files are stored in > memory, this seems like it could be a very bad thing. > > There's a ticket, #2070, with a patch that buffers files in small > chunks, so that no more than about 64k is ever in memory at the same > time. But, if I'm reading the code correctly, it still uploads the > whole file before the programmer has a chance to determine how big it > is and whether or not to accept it. Get a bunch of people, all > uploading 1GB nonsense, and I think you could find your hard drive > very quickly full of stuff you didn't really want to be there in the > first place. > > Would it be better to expose the file-like object that comes with a > file upload, rather than reading the file's whole content into memory > (or into the server's file system, if the patch gets checked in)? > It's easy to retain backward compatibility by just having a call to > FILES['file_upload']['content'] simply call FILES['file_upload'] > ['file_like_object'].read(), but a developer could, instead, decide > how large a file they're willing to allow someone to upload, upload > that many bytes, and then raise an exception if the file is bigger, > rather than waiting until the whole file is uploaded. > > I must admit that the thing that got me started thinking about this > was the ability to store binary data in the database rather than on > the filesystem, but I'll start a separate thread to talk about what > I'm thinking about there. > > Todd --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
