Eprints tips & tricks

EPrints Tips & tricks: upload limits and antivirus check – part 2 of 2

Vedi L'articolo in Italiano

With this article I finish the previous article EPrints Tips & tricks: upload limits and antivirus check in order to block uploading the file when it is selected for the maximum size and blocking the virus as soon as the file is available on the server.

Introduction

This will be outlined if the javascript support is active in the browser, otherwise the one described in part 1 of 2 of the previous article will continue to be valid.
It also does not apply to the second or later files belonging to the same document.

We consider all the introduction to the previous article as the presence of ClamAV antivirus.

Implementation

To manage the “upload_limit” variable also in javascript add to the configuration file $EPCONF/conf.d/upload.pl, previously commented, with the following code:


$c->add_trigger( EP_TRIGGER_DYNAMIC_TEMPLATE, sub {
  my %params = @_;
  my $repo = $params{repository};
  my $pins = $params{pins};
  my $upload_limit=$repo->get_conf('upload');
  $upload_limit=$upload_limit->{'upload_limit'};
  my $pagetop = $repo->make_doc_fragment;
  $pagetop->appendChild( $repo->make_javascript(qq|var upload_limit=|.$upload_limit.";"));
  if( defined $pins->{pagetop} ) {
    $pagetop->appendChild( $pins->{pagetop} );
    $pins->{pagetop} = $pagetop;
  }
  else {
    $pins->{pagetop} = $pagetop;
  }
  return EP_TRIGGER_OK;
});

This code adds a trigger for the dynamic creation of the html page that defines the javascript variable “upload_limit” equal to the value defined in “perl

After that, we can modify the “javascript” code that manages file uploads in the workflow, that is the file $EPRINTS/lib/static/javascript/auto/88_uploadmethod_file.js. To avoid touching the source of the EPrints software, which we would lose track over time or after a version upgrade, it is always best to have a copy of the same name in $EPCONF/static/javascript/auto/88_uploadmethod_file.js where we will start making changes.
First of all EPrints will differentiate if you do

  • dragging one or more files (with the file manager) into the upload area
    eprints drop & drop
  • or if you click the “Browse …” button to open the classic browser window to select the file to upload.

In fact, by dragging, you can load multiple files at a time, while with the classic “ Browse … button you load up to one file at a time.

With the changes I propose, first of all, I adapt the 2 methods of loading by also allowing you to select multiple files at a time by using the classic browser window.

eprints upload multi files
Also, by using the “FileReader” object of “javascript“, I can immediately exclude larger files from “upload_limit” during the selection.

For the antivirus checkup then I use an “Ajax” call when the file is fully loaded that returns me if the status is “ok” or if there is a virus calling the “upload_file” function defined in the usual $EPCONF/cfg.d/upload.pl file.

The file called in Ajax is located under cgi/users/ajax/upload_validation

eprints find virus: error messageeprints max upload: error message

Online Code

To download all the complete code you can go to my “eprints_validate_upload_file_js” project on github.

Safety Observations

To avoid filling the disk and to avoid attacks of the denial-of-service it is always useful to define the maximum message size in POST (and therefore also attachments) that the server will accept.
Of course the size of the POST generally does not match the dimension of the attachment and therefore for security I would put that dimension at least 20% more than the maximum of the attachment.
To avoid a very large POST, one of the following methods can be used:

  1. method at Eprints : just set the $CGI::POST_MAX = 1024 * 1024 * 20; variable (20MB posts) in a configuration file (such as upload.pl)
  2. metodo at apache level: just set the “LimitRequestBody 20971520” (20MB posts). As default Apache 2.4 use “LimitRequestBody 0” which corresponds to a maximum of 2GB.

Leave a Reply

Your email address will not be published. Required fields are marked *

23 − = 16