Why does a request that exceeds a specified maxRequestLength respond with a (seemingly) irrelevant error?

Question

I've specified a maxRequestLength in my web.config (MVC) like so:

  <location path="File/Upload">
    <system.web>
      <httpRuntime maxRequestLength="330"/>
    </system.web>
  </location>

When having a look in the network tab while testing for file uploads that exceed 330kb, I can see the response from the server is 500 and the details are The required anti-forgery form field "__RequestVerificationToken" is not present.

Why is this the case? Is the framework not capable of providing details of maxRequestLength in the response? Or is it that it merely doesn't want to in order to not give away info about the system?

Or is it that my request has been truncated/cropped in order to cater for the limit, which has inadvertently trimmed off the request verification token?

NOTE

This works fine with files that do not exceed 330kb, and my upload works.

Answer 1

I see you set maxRequestLength is 330, this is the limit for file upload. this value follow the rule below:

1 Mb = 1024kb

as you can see more detail at:

https://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.maxrequestlength(v=vs.110).aspx

So when you set maxRequestLength="330", the system will be understand that the file upload is limit 330kb.

Answer 2

I suspect one of your Actions (not necessarily the one that handles the File Upload) has the [ValidateAntiForgeryToken] attribute, and that you're somehow seeing the error coming from that Action instead.

I suggest temporarily commenting out all the [ValidateAntiForgeryToken] attributes in your project to see what's actually being returned when you try to upload files that are over the limit.

Answer 3

I tried recreating the issue on a sample project but upon further research I found out that ASP.NET MVC controller actions do not use the location element in the web.config file. This is because unlike ASP.NET which maps file to the disk, ASP.NET MVC uses routing. You can check out the answer on the link below which although relates to a different question, notes that the location tag isn't used.

How do I allow all users access to one route within a website with integrated auth?

In this case the framework is most likely not able to enforce the restriction on the file size for Upload action.

Am not entirely sure since am unable to recreate the 500 Internal Server Error but I think it could be as a result of the framework failing to correctly interpret your web.config due to the location element.

As for the error regarding the antiforgery token, make sure that it is present on your view (by using @Html.AntiForgeryToken() ) and that no script removes it from the DOM before you submit the form