Upload File Size Limit in Go 1.9

[Andrew]

Go 1.9 has "The new FileHeader.Size field describes the size of a file in a multipart message."

Suppose I upload multiple files using <input type="file" name="images" multiple>

Can I use FileHeader.Size to limit each uploaded file size? Or there's other ways?

Thanks,

Andrew

[Lutz Horn]

Am 29.08.2017 um 21:40 schrieb Andrew:
> Go 1.9 has "The new |FileHeader.Size|

> <https://golang.org/pkg/mime/multipart/#FileHeader.Size> field describes

> the size of a file in a multipart message."
>
> Suppose I upload multiple files using <input type="file" name="images"

> *multiple*>
>
> Can I use FileHeader.Size to limit *each* uploaded file size? Or there's
> other ways?

As far as I understand this field, it does not limit anything. It is a
RO property of the multipart.FileHeader. If your request has multiple
parts, there will be a multipart.FileHeader for each. You don't set
them, you read them.

What is it you are trying to do?

Lutz

[Steven Hartland]

Limiting is done by the form parse:
https://golang.org/pkg/net/http/#Request.ParseMultipartForm

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Lutz Horn]

> Limiting is done by the form parse:
> https://golang.org/pkg/net/http/#Request.ParseMultipartForm

No, this is not limiting:

> The whole request body is parsed and up to a total of maxMemory bytes
> of its file parts are stored in memory, with the remainder stored on
> disk in temporary files. ParseMultipartForm calls ParseForm if
> necessary.

This is just offloading to disk. The whole request including all
complete body parts is still parsed and available.

Unless the OP tells us what kind of limiting he has in mind, it is hard
to give advice.

Lutz

[Steven Hartland]

Sorry I was unclear, you are right, my intention was to identify where standard form size limiting is done for multipart/form-data POST requests.

There is also a limit placed on "application/x-www-form-urlencoded" for POST requests unless the request body is already limited by MaxBytesReader, as detailed here:
https://golang.org/pkg/net/http/#Request.ParseForm
https://golang.org/pkg/net/http/#MaxBytesReader

MaxBytesReader can be used in all cases to limit the total size of the form processed, so that may be an option.

If the OP does indeed want per file configurable upload limits then I don't think that's trivial and would likely require a custom mime/multipart reader.

[Andrew]

Thanks all for your reply.

I have a web page which client can upload images to Go server. My intention is to limit each image file size to max 2M. But they can upload multiple files at a time.

The sample can be found here: https://play.golang.org/p/0VV3s7klQu

[Andrew]

Sorry, Should be `<input type="file" name="upa" multiple>`

[Peter Waller]

I think this question is a protocol problem more than anything.

A quick bit of searching "http server abort upload" reveals what to do:

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.14

https://groups.google.com/forum/#!topic/golang-nuts/agB-n6V7UsQ

There is also this informative SO post: https://stackoverflow.com/questions/18367824/how-to-cancel-http-upload-from-data-events#18370751

So: Respond with "413 Request Entity Too Large" as soon as you detect it is too big, and use w.Header().Set("Connection", "close") to tell the client to close the connection. Not sure how to tell the server to close the connection.

On HTTP1 you can at least Hijack the connection and Close it. On HTTP2 I don't see an obvious way. https://tip.golang.org/pkg/net/http/#Hijacker

Note that this does result in a non-ideal UX unless you do the upload with AJAX, but this looks like an issue with the browsers, according to the above SO post.