With this article I finish the previous article EPrints Tips & tricks: upload limits and antivirus check in order to block uploading the file when it is selected for the maximum size and blocking the virus as soon as the file is available on the server.
It also does not apply to the second or later files belonging to the same document.
We consider all the introduction to the previous article as the presence of ClamAV antivirus.
First of all EPrints will differentiate if you do
- dragging one or more files (with the file manager) into the upload area
- or if you click the “Browse …” button to open the classic browser window to select the file to upload.
In fact, by dragging, you can load multiple files at a time, while with the classic “ Browse … button you load up to one file at a time.
With the changes I propose, first of all, I adapt the 2 methods of loading by also allowing you to select multiple files at a time by using the classic browser window.
For the antivirus checkup then I use an “Ajax” call when the file is fully loaded that returns me if the status is “ok” or if there is a virus calling the “upload_file” function defined in the usual $EPCONF/cfg.d/upload.pl file.
The file called in Ajax is located under cgi/users/ajax/upload_validation
To download all the complete code you can go to my “eprints_validate_upload_file_js” project on github.
To avoid filling the disk and to avoid attacks of the denial-of-service it is always useful to define the maximum message size in POST (and therefore also attachments) that the server will accept.
Of course the size of the POST generally does not match the dimension of the attachment and therefore for security I would put that dimension at least 20% more than the maximum of the attachment.
To avoid a very large POST, one of the following methods can be used:
- method at Eprints : just set the $CGI::POST_MAX = 1024 * 1024 * 20; variable (20MB posts) in a configuration file (such as upload.pl)
- metodo at apache level: just set the “LimitRequestBody 20971520” (20MB posts). As default Apache 2.4 use “LimitRequestBody 0” which corresponds to a maximum of 2GB.