Preventing upload of large files in ASP.NET 4.0

We'd like to restrict the maximum upload file size in our web site. We've already set the appropriate limits in our web.config. The problem we're encountering is if a really large file (1 GB, for example) is uploaded, the entire file is uploaded before a server-side error is generated, and the type of the error is different whether the file is huge or not.

Is there a way to detect the size of a pending file upload before the actual upload takes place?

Here's my relevant web.config settings that restrict requests to 16 MB:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <httpRuntime maxRequestLength="12288"/>
    </system.web>

    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="12582912"/>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

I've tried creating an HTTP module so I could intercept a request early in the request lifecycle, but the uploads seem to take place even before the BeginRequest event of HttpApplication:

public class UploadModule : IHttpModule
{
    private const int MaxUploadSize = 12582912;

    public void Init(HttpApplication context)
    {
        context.BeginRequest += handleBeginRequest;
    }

    public void Dispose()
    {
    }

    private void handleBeginRequest(object sender, EventArgs e)
    {
        // The upload takes place before this method gets called.

        var app = sender as HttpApplication;

        if (app.Request.Files.OfType<HttpPostedFile>()
            .Any(f => f.ContentLength > MaxUploadSize))
        {
            app.Response.StatusCode = 413;
            app.Response.StatusDescription = "Request Entity Too Large";
            app.Response.End();
            app.CompleteRequest();
        }
    }
}

Update:

I know that client-side technologies like Flash can detect file sizes before upload, but we need a server-side workaround because we're wanting to target platforms that have no Flash/Java/ActiveX/Silverlight support. I believe that IIS or ASP.NET has a bug that's allowing large files to be uploaded despite the limits, so I've filed a bug here.

Would an ISAPI extension give me more control over request processing than HTTP modules and handlers, such as allowing me to abort an upload if the Content-Length header is seen to be larger than the allowed limit?

Update 2:

Sigh. Microsoft has closed the bug I filed as a duplicate but has provided no additional information. Hopefully they didn't just drop the ball on this.

Update 3:

Hooray! According to Microsoft:

This bug is being resolv开发者_Python百科ed as it has been ported over to the IIS product team. The IIS team has since fixed the bug, which will be included in future release of Windows.

The problem is that the upload happens all at once using the HTTP Post request so you can only detect it after it's done.

If you want more control over this you should try Flash based upload widgets which have this and more. Check out this link http://www.ajaxline.com/10-most-interesting-upload-widgets

Microsoft has responded on their Microsoft Connect site with the following:

This bug is being resolved as it has been ported over to the IIS product team. The IIS team has since fixed the bug, which will be included in future release of Windows.

If you are requesting a fix for the current OS, a QFE request must be opened. Please let me know if this is the route that you want to take. Please note that opening a QFE request does not necessarily mean that it would be approved.

So I guess we have to wait for the next version of IIS for the fix (unless a QFE request is fulfilled, whatever that is).

Is there a way to detect the size of a pending file upload before the actual upload takes place?

No. That would require access to the file size on the client. Allowing a web server direct access to files on the client would be a bit dangerous.

Your best bet is to place a line of text stating the maximum allowed file size.

OR you could create some sort of ActiveX control, java applet, etc so that you're not dependent on browser restrictions. Then you have to convince your users to install it. Probably not the best solution.

Well.... Depends how low-level you want to get.

Create a service app that acts as a proxy for IIS. (All incoming port 80 socket requests go to the service.) Have the service pass everything it receives to IIS (website listening on a different port or IP), but monitor the total request size as its received. When the size from a give connection exceeds you're desired limit, close connection. Return a redirect to an error page if you want to be polite.

Silly, but it'll let you monitor data in transit without waiting for IIS to hand over the request.