Has these changed in more recent versions of Jersey/DropWizard? Surely
there must be a way to analyze an incoming inputstream for byteSize and
cutting it off at a specified threshold. Trusting the Content-Length header
isn't advised as it can be manipulated.. but I can't just have people
uncontrollably uploading 30GB files for fun either...
On Monday, August 12, 2013 at 8:55:19 AM UTC-2:30, Jonathan Abourbih wrote:
>
> I've created a resource for uploading files to a content repository using
> jersey-multipart, like so:
>
> @POST
> @Consumes(MediaType.MULTIPART_FORM_DATA)
> @Produces(MediaType.APPLICATION_JSON)
> public Response uploadContent(@FormDataParam("description") final
> String description,
> @FormDataParam("file") final
> FormDataBodyPart content,
> @FormDataParam("file") final
> FormDataContentDisposition contentDisposition)
> throws IOException {
> File file = content.getValueAs(File.class);
>
> // ...
> }
>
> Is there a way to limit the file upload size, so that a malicious user
> can't upload massive files and overwhelm the server? I've tried
> setting -Dorg.eclipse.jetty.server.Request.maxFormContentSize, but this
> seems to apply only to "normal" forms. On servlets it appears that the
> recommended way is to use a @MultipartConfig
> <http://docs.oracle.com/javaee/6/api/javax/servlet/annotation/MultipartConfig.html>
>
> annotation, but this isn't an option in JAX-RS.
>
> Using the contentDisposition.contentSize() is not acceptable either,
> because it is not required to be sent by the client.
>
> Any thoughts?
>
>
>
--
You received this message because you are subscribed to the Google Groups
"dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
