Ron Garret schrieb:
On Jan 18, 12:40 pm, "Diez B. Roggisch" <de...@nospam.web.de> wrote:
Ron Garret schrieb:
On Jan 18, 11:29 am, "Diez B. Roggisch" <de...@nospam.web.de> wrote:
Ron Garret schrieb:
I'm writing a WSGI application and I would like to check the content-
length header before reading the content to make sure that the content
is not too big in order to prevent denial-of-service attacks. So I do
something like this:
def application(environ, start_response):
status = "200 OK"
headers = [('Content-Type', 'text/html'), ]
start_response(status, headers)
if int(environ['CONTENT_LENGTH'])>1000: return 'File too big'
But this doesn't seem to work. If I upload a huge file it still waits
until the entire file has been uploaded before complaining that it's
too big.
Is it possible to read the HTTP headers in WSGI before the request
body has been read?
AFAIK that is nothing that WSGI defines - it's an implementation-detail
of your server. Which one do you use?
Apache at the moment, with lighttpd as a contender to replace it.
Together with mod_wsgi?
Diez
Yes. (Is there any other way to run WSGI apps under Apache?)
Well, not so easy, but of course you can work with mod_python or even
CGI/fastcgi to eventually invoke a WSGI-application.
However, the original question - that's a tough one.
According to this, it seems one can use an apache-directive to prevent
mod_wsgi to even pass a request to the application if it exceeds a
certain size.
http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines
Search for "Limiting Request Content"
However, I'm not sure how early that happens. I can only suggest you try
& contact Graham Dumpleton directly, he is very responsive.
Diez
--
http://mail.python.org/mailman/listinfo/python-list
