File upload size limit in IIS

June 17, 2013 by Leave a Comment

Yay file uploads. As if letting the users to type in stuff into the web application giving me SQL injection nightmares weren’t enough, now I have to let users upload files.

Peachy.

So during my investigations into the limits of file uploading, I found that I couldn’t upload a file more than 30MB on my test server. It failed faster than Superman could jump a building in a single bound, and with just as much sound.

In short, here are my findings. The default file size limit set in IIS (6 and below? Read on for more details) is 4MB. In IIS7 (on Windows Server 2008), the file size limit is 30MB (technically it’s 28.61MB because it’s 30000000 bytes but who’s keeping track. Hey you read on!).

So how do you change the limits? In the web.config file. We’re doing ASP.NET applications.

<httpRuntime executionTimeout="3600" maxRequestLength="20480" />

That will give you a timeout period of 1 hour (3600 seconds) and a file size limit of 20MB (20480 KB. Yes, that attribute is in kilobytes).

For IIS7, we do this:

<security>
    <requestFiltering>
        <requestLimits maxAllowedContentLength="134217728" />
    </requestFiltering>
</security>

That gives you a 128MB limit (128 * 1024 * 1024). Yes it’s in number of bytes.

So why was I doing file uploads? Documents from university staff or students. The most important of which is the final doctoral thesis.

I asked how large can that thesis be, assuming it’s in PDF form. I got an answer where a 40MB limit seems too small. Really?

I had trouble auto-generating an Excel file of 40MB just to test the server limits. Do you know how large 40MB is?

If it’s a video or sound file, then yes I can believe it. I have video files of over 100MB, some over 200MB. But a PDF? With mostly text?

Go check out the Open XML specs from ECMA. The largest document is about 28MB. It’s over 5000 pages. I doubt any thesis can match that number of pages.

Filed Under: Programming Tagged With: , , ,

Academic self-publishing

June 8, 2013 by

As of this writing, I’ve worked in the academic industry for slightly over 3 months. More on this later.

Claire Morgan sent me this article on academic self-publishing. There are good points and bad points regarding self-publishing, which are exaggerated particularly so for the academic industry. I should know, since I’m making a web application for internal use in a university.

As part of my work, I learnt a lot about how the Ph.D. degree students go through their academic years, and what are the processes they go through. Yeah my web application is going to be used by staff and future doctors (albeit Ph.D.’s). Go me.

One of the more important parts of being a Ph.D. student is publications. It’s not necessary to publish any papers but they help increase your credibility. Perhaps in helping with raising the impressions of examiners who attend your thesis defence. Every little bit helps, I guess.

But you can’t just publish your work anywhere. The publisher has to be of repute and your work must be peer reviewed.

This means self-publishing is looked down upon even more by the academic industry.

But wait!

There are 2 points I found interesting in Claire’s article.

The 1st point is that you don’t have to publish your entire work. Maybe a non-vital piece of your research but is still informative and useful. “Non-vital” is of course relative to your entire research work as a whole.

The 2nd point is that you can publish mistakes or research results that didn’t go anywhere. These don’t help you and your final research publication, but they might help some other poor fellow from wasting resources going down that route.

So what’s happening lately for me?

As I said, I’m working in a university now. Well, technically they outsourced the work to me so I’m still considered self-employed. We’ll see…

I’m stationed in a research lab. I’m surrounded by Ph.D. students. My manager is a Ph.D. student. Or at least he’s the project officer who’s my liaison between the IT support department and me. But psshht, semantics.

As part of my work, I’m using ASP.NET MVC (model-view-controller) and jQuery. Both of which I’m not familiar with at the start of my contract. Fun times… I was more of a back-end kind of guy.

Speaking of back-end, my spreadsheet library is doing well. Go check out SpreadsheetLight if you haven’t, and it’s also on NuGet (which I just learnt about, even though I’ve been using Visual Studio for like donkey years. Like I said, I’m more of a back-end guy. How do you pronounce “NuGet”? Like “nugget”?).

So yeah, if you haven’t, go read that article. Tell me what you think.

Filed Under: Curiosita

Specious spreadsheet security

February 4, 2013 by

If not for Chinese, it would’ve worked.

So in Excel, you can set a password for either protecting a particular worksheet, or protecting the entire workbook/spreadsheet. This password is then hashed, and the result is stored within the spreadsheet contents.

Now with the use of Open XML spreadsheets, this means the resulting hash is stored in “plain text” within XML files. Without going into too much detail, here’s the algorithm for the hash as documented in the Open XML SDK 2.0 help docs:

// Function Input:
//    szPassword: NULL-terminated C-style string
//    cchPassword: The number of characters in szPassword (not including the NULL terminator)
WORD GetPasswordHash(const CHAR *szPassword, int cchPassword) {
      WORD wPasswordHash;
      const CHAR *pch;
 
      wPasswordHash = 0;
 
      if (cchPassword > 0)
            {
            pch = &szPassword[cchPassword];
            while (pch-- != szPassword)
                  {
                  wPasswordHash = ((wPasswordHash >> 14) & 0x01) | ((wPasswordHash << 1) & 0x7fff);
                  wPasswordHash ^= *pch;
                  }
            wPasswordHash ^= (0x8000 | ('N' << 8) | 'K');
            }
      
      return(wPasswordHash);
}

This algorithm is wrong. Or at least it doesn't give the resulting hash that Excel produces.

Granted, I didn't really expect the algorithm to be correct. Because from the SDK help:

An example algorithm to hash the user input into the value stored is as follows:

It's an example algorithm, so it may or may not be the one that Excel actually use. However, for the purposes of usability, the password used by users have to be encrypted using Excel's algorithm, so we have to somehow get the resulting hash. Either we get the algorithm itself, or we simulate an algorithm such that the resulting hash matches that of Excel's.

Which is what Kohei Yoshida did. See his modified algorithm. This algorithm worked!

Given that I'm Chinese, I did what's natural: I used Chinese characters as the password.

And the modified algorithm failed. It only worked if the password consisted only of Latin alphabets. I tried Japanese characters. Failed too.

This is why I don't support password protection in SpreadsheetLight. I don't want to give the false impression that the worksheet/workbook encryption works. This is one feature where "partially worked" is unacceptable.

Granted Open XML spreadsheets also support other types of encryption, and you can store the name of the algorithm and salt value you used, and even the number of times the hash algorithm was run.

But.

This is in the context of a spreadsheet library.

What are spreadsheet libraries mostly used for? Automation.

Which means minimal (if at all) human interaction and intervention.

And so the question comes up.

Where do you store the password?

If a human is protecting the worksheet/workbook, she will provide the password herself, and then encrypts it (well Excel does it), and she just remembers the password.

If a spreadsheet library is generating the workbook, and encrypting it, the password has to be gotten from somewhere, right? So it's stored, maybe in a text file, maybe in a database, maybe hardcoded in code, or whatever.

The point being that the password is not held solely by a human being. And a computer hard drive is easier to hack into than a human brain.

And I will prefer not to be a party to facilitating insecure spreadsheet generation. Besides, it's Open XML. The data is supposed to be open and sharable. Password protection seems to be the opposite. Even Microsoft cautions the use of depending just on encrypted Excel files.

We already have social engineering used by devious people to deceive people into giving their passwords over. Storing passwords on a computer seems suicidal because computers have no common sense at all.

As a final word, I'd say using the Open XML SDK can be either verbose, or obscenely painstakingly verbose. Simple tasks need a couple of dozens of lines of code, and complex tasks take at least 2 magnitudes of work to do. For individualistic, compartmentalisable (that's not a word, right?) tasks, you can do it from scratch. Add even a smidgeon of complexity, and you'll find a library more useful. Try mine.

Filed Under: Programming Tagged With: , , ,

SpreadsheetLight version 3

January 14, 2013 by

Version 3 of my spreadsheet library is now available. There’s a whole bunch of updates, including Excel 2010 conditional formatting such as data bars with negative value fill colours and icon sets with no icons.

SpreadsheetLight is possibly the most developer-friendly spreadsheet library ever. Even if I do say so myself. :)

Filed Under: Programming Tagged With: , , ,

In The Mirror (cover)

January 14, 2013 by

This is one of my favourite piano pieces by Yanni.

I’m not a pianist. I’ve never taken piano lessons. I’m like grade -1 or something. This took me over a dozen tries…

Credits and permission granted from:

Music by Yanni
23rd Street publishing Inc/Yanni Music Publishing (ASCAP)
Used by Permission. All Rights Reserved

Filed Under: Curiosita Tagged With: , , ,
«Older Posts