ColdFusion Muse

Limiting the Size of a POST Request

CF Muse Reader Asks:
With CF 7 is there a way to control the max file size on a upload? to prevent someone uploading a massive file?

Oh how I love easy questions. Yes Virginia you can do this but only "globally" through the CF Admin. Log into the CF Administrator and click on the "settings" link. There are 3 new settings that apply here. Here's the scoop from the release notes.

  • Maximum size of post data (MB) - Limits the amount of data that can be posted to the server in a single request. Coldfusion rejects single requests larger than the specified limit. The default value is 100 MB.

  • Request throttle threshold (MB) - Requests smaller than the specified limit are neither queued nor counted as part of the total memory. Requests larger than the specified limit are counted as part of total memory and are queued if the request throttle memory size has been exceeded. The default value is 4 MB.

  • Request throttle memory (MB) - Limits total memory size for the throttle. If there is not enough total memory available, Coldfusion queues requests until enough memory is free. The default value is 200 MB.
The "maximum size of post data" is the one that you need to worry about. It limits the amount of data that can be posted to Coldfusion. Keep in mind that if you expect a lot of this sort of activity the throttle memory will come into play. It's the total heap amount allocated to handle the throttle.

Erki Esken's Gravatar If you're using CF with Apache, then you can also use Apache's LimitRequestBody directive. You can set it per-server, per-directory, per-file or per-location. It's actually better to use Apache limits since you can catch too big uploads before they even reach CF.
# Posted By Erki Esken | 5/24/06 1:04 PM
mkruger's Gravatar Excellent - thanks for the tip Eriki.
# Posted By mkruger | 5/24/06 1:10 PM
Bryan Ashcraft's Gravatar You can also do it programatically. Code courtesy of Massimo.
<cfif cgi.content_length EQ "">
WriteOutPut("Your browser reported a badly-formed HTTP header. This could be caused by an error, a bug in your browser or the settings on your proxy/firewall");
<cfset tmtMaxSizeKB="10240">
<cfset tmtMaxSize="#Evaluate(tmtMaxSizeKB*1024)#">
<!--- Check for file size as reported by the HTTP header--->
<cfif Val(cgi.content_length) GT tmtMaxSize>
WriteOutPut("The selected file's size is greater than " & #tmtMaxSizeKB# & " kilobytes which is the maximum size allowed, please select another one and try again.");
<cffile action="upload" filefield="sessionSupportMaterial" destination="#ExpandPath("../../pdfs/sessions")#" nameconflict="MakeUnique" accept="application/msword,application/pdf,text/plain">
<!--- Catch file upload errors --->
<cfcatch type="Any">
WriteOutPut("An error occurred during the file upload process.<br><br>");
WriteOutPut("This is likely due to one of the reasons below:<br><br>");
WriteOutPut("1) The MIME type of the uploaded file was not accepted by the server. Please verify that you are uploading a file of the appropriate type.<br>");
WriteOutPut("2) A file with the same name already exist on the server.<br>");
WriteOutPut("3) The application doesn't have the correct permissions on the server.<br><br>");
WriteOutPut("If the problem persist, please contact the website's administrator.");
<cfif isDefined("file.FileWasSaved")>
<!--- To be sure, check the file size again, just in case the HTTP header was faked --->
<cfif file.FileSize GT tmtMaxSize>
<cfset tmtServerFilePath=file.ServerDirectory&"\"&file.ServerFile>
<cfif FileExists(tmtServerFilePath)>
<!--- Delete the beast --->
<cffile action="delete" file="#tmtServerFilePath#">
WriteOutPut("The uploaded file's size is greater than " & #tmtMaxSizeKB# & " kilobytes which is the maximum size allowed, please select another one and try again.");
# Posted By Bryan Ashcraft | 5/24/06 1:53 PM
mkruger's Gravatar Hmmm... interesting, but does this check happen before the request is complete? I suspect that the request is uploaded before the error is thrown. I don't think that CF is processing the request before the content of the request is "known" (i.e. just based on the header). This code actually works "after the fact". The trick I'm looking for is to kill the request as soon as the header content-length is known and passes some threshold.
# Posted By mkruger | 5/24/06 2:02 PM
Steven Erat's Gravatar See this entry for improvements in memory utilization during file uploads in CF 8:
# Posted By Steven Erat | 9/12/07 4:47 PM
dorin's Gravatar Hi i want to reccomend you very useful rapidshare search You can find there a lot of new movies, games and music. Enjoy it!
# Posted By dorin | 1/28/08 9:56 AM
chris hough's Gravatar thank you for posting this, on the avg box how would you recommend setting them?

I have been having timeout issues with uploads which is ok, so I cranked them down to: 5,2,100.
# Posted By chris hough | 3/1/12 5:08 PM
Mark Kruger's Gravatar @chris,

boy.. it would be very difficult to answer this question without looking at what you think an "average box" is... and also what level of traffic is on the box. It's not just about the box but also about how much of the box' capacity is being utilized at any given time. In particular how much over all memory you allocate to post requests will be important in relation to the over all heap.
# Posted By Mark Kruger | 3/1/12 5:40 PM
chris hough's Gravatar @Mark

hmmm...any thoughts on what recommended average settings could be? I wonder if mine are way too low. what is included in those figures when its computed?
# Posted By chris hough | 3/1/12 6:09 PM

Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.