How To Limit File Upload Sizes

There was some discussion a while back on a possible vulnerability in CFMX. I was worried that a denial of service attack would be possible by uploading a single very large file. My fear was that the ColdFusion server was buffering files in RAM before writing them out to the file system, however I was relieved when two people from the ColdFusion team confirmed that the files were written directly to disk and not buffered in RAM. In other words, the input stream from the request is written directly to a file output stream (without being buffered more than just a few K), which means you cannot cause the JVM to run out of memory by uploading a file. Very good implementation.

The next question, however, was whether or not it was possible to create a DOS attack by making the server run out of disk space. Could someone upload enough gigabytes of data to fill an entire partition? Shouldn’t there be a way to guard against this type of issue?

Fortunately, there is. On the advice of Laurent Rouquette, I confirmed this morning that you can use the variable cgi.CONTENT_LENGTH to decide if you want to allow a file to be uploaded or not. The code below only allows files less than 25,000 bytes to be saved:

<cfif cgi.CONTENT_LENGTH lt 25000>
<cffile action="upload"
nameConflict="overwrite" />

Note that the file will still be uploaded and saved in a temporary location, but if the cffile tag does not get executed, the temp file will simply be deleted after the upload is complete.

I recommend that anyone who has an application that allows files to be uploaded use this technique as an extra level of security. Remember, though, that the content length of the request contains all the information in the request, so allow a little extra space for other data, as well.

5 Responses to How To Limit File Upload Sizes

  1. Paul says:

    I am running MX 6.1 and doing the simplest cffile usage. It fails coldfusion takes up all the memory. There is a command from java to open a stream or something anybody have any suggestions.The file was 200mb on test server with 256ram and 30 gig free.

  2. Paul says:

    I found this code … could anybody add in the relevant output to a new file…fileAsString = “”;fileReader = createObject(“java”, “”);fileReader.init(form.upFile);bufferedReader = createObject(“java”, “”);bufferedReader.init(fileReader);try {do {fileAsString = bufferedReader.readLine();//write to new file code//} while (true);} catch (coldfusion.runtime.UndefinedVariableException e) {// this indicates end of file, ok to ignore error}

  3. Christopher says:

    I have the same problem as Paul. ColdFusion MX (or JRUN anyway) DOES hold the whole request in memory. It also writes it to disk for better or worse. Does anyone know of a work around so you can upload files up to 2GB?

  4. Greg says:

    I’m encountering the same issues. Watching the memory on the jrun process as I upload a 200MB file, it goes from 10M at rest up to 200+ MB and back down several times during the upload process. Also have to worry about session timeouts as CF isn’t keeping the session alive during the request.

  5. Gary says:

    I’m having the same problem in CF5. I’ve got a cf page containing a form with multiple file uploads, which causes the CF server to crash when I try to upload large files. As a workaround, I’ve written a java servlet to handle the file upload. It runs in tomcat and saves the files to a temporary directory before sending a request to another cf page to do some renaming and database logging etc. I’m sending parameters and session info through the servlet to the second page by means of hidden fields in the first form.Anybody got a better way to do this?