in Uncategorized

ASP.NET (1.x and 2.x) maxRequestLength suckyness…

So you need people to upload files to your web application, but you’re a smart developer and you want to make sure you’re not vulnerable to any kind of DoS. Luckily Microsoft has built a setting into the <httpRuntime> element of ASP.NET called maxRequestLength to govern the maximum size of an HTTP request. Great, problem solved! Well, here’s the bad news: if someone does exceed that length you can’t handle that error gracefully in any way shape or form.

The ASP.NET runtime will immediately reject the request based on the Content-Length HTTP header and will not execute any other part of the ASP.NET pipeline. This includes anything you’ve set for <customErrors>. The only thing I can think of to do is to customize the 500 status in IIS, but it kinda stinks that I have to resort to configuring IIS to work around this. 🙁

Leave a comment


  1. What also sucks is that you HAVE to put this size limit into the Webconfig file and we try to always AVOID webconfig.

    that would be a nice improvement for ASP.Net 3……

  2. There might be a way to handle this exception:

    1. Create a global.asax file. If you’re using Visual Studio 2005 it will set up a number of common subroutines for you. You need to use Sub Application_Error. Your code should look something like this:

    <script runat=”server”>
    Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
    Dim currentException As Exception
    currentException = Server.GetLastError.GetBaseException()
    Response.Redirect(“/error.aspx?Err=” & Server.UrlEncode(currentException.Message))
    End Sub

    The application_Error sub fires as a last resort, in other words, when you haven’t explicitly handled the exception anywhere else in your code.

    2. You can now create an error.aspx that displays the exception message (from the querystring). For this exception the message is “Maximum request length exceeded”. You could also test for the message and give users more information on the error.