asp.net mvc 3 - MVC3 Action File Size Limit

Question

I'm implementing a jquery based file upload plugin http://blueimp.github.com/jQuery-File-Upload/. There is a sample MVC3 app that you can download https://github.com/maxpavlov/jQuery-File-Upload.MVC3.

The author of the sample has a comment in the Home View:

@*IN ORDER TO USE MVC ACTIONS AS HANDLERS OF AJAX CALLS, USE THE FORM DECLARATION BELOW. (THE ONE COMMENTED OUT) IT IS NOT ADVISED SINCE WHEN USING MVC CONTROLLER TO HANDLE REQUESTS ONE CAN'T CONTROL THE maxMessageLength OF THE POST REQUEST THIS CASTS THE FUNCTIONALITY OF UPLOADING LARGE FILES USELESS, UNLESS YOU SUCRIFICE THE SECURITY AND ALLOW LARGE POST MESSAGE SIZES SITE-WIDE.

IT IS BETTER TO USE HTTP HANDLER TO PROCESS UPLOAD REQUESTS UNTIL MVC FRAMEWORK PROVIDES WAYS TO SET maxMessageLength ON PER ACTION BASIS *@

Is this still the case?

I've found out I can set the <httpRuntime maxRequestLength="x" /> in the web.config, but my understanding is that this is a security vulnerability. Is the case also?

I would prefer to handle my upload in the controller instead of using an HttpHandler but don't want to be limited by file size and don't want to introduce any security vulnerabilities if I don't have to.

Update:

According to this post File Upload ASP.NET MVC 3.0 the default file size limit is 4mb. I've confirmed this limit http://msdn.microsoft.com/en-us/library/e1f13641.aspx and understand the vulnerability.

Is this the only way to upload a file thru a controller action beyond 4mb?

Answer 1

You could set upload size limit in web.config for concrete controller action using location element:

<configuration>
    <location path="Home/UploadFiles">
        <system.web>
            <httpRuntime maxRequestLength="40960"/>
        </system.web>
    </location>
</configuration>

Where Home is a controller name and UploadFiles is an action name. Size limit is 40MB here.

Still, using Http Handler to process file uploads is not a bad solution if you ask me.