s3 direct upload restricting file size and type

Asked 15/11, 2012 at 1:38 Answered 22/1, 2015 at 6:14

A newbie question but I have googled abit and can't seem to find any solution.

I want to allow users to directly upload files to S3, not via my server first. By doing so, is there any way the files can be checked for size limit and permitted types before actually uploading to S3? Preferably not to use flash but javascript.

Ypres answered 15/11, 2012 at 1:38 Comment(0)

If you are talking about security problem (people uploading huge file to your bucket), yes, You CAN restrict file size with browser-based upload to S3.

Here is an example of the "policy" variable, where "content-length-range" is the key point.

"expiration": "'.date('Y-m-d\TG:i:s\Z', time()+10).'",
"conditions": [
    {"bucket": "xxx"},
    {"acl": "public-read"},
    ["starts-with","xxx",""],
    {"success_action_redirect": "xxx"},
    ["starts-with", "$Content-Type", "image/jpeg"],
    ["content-length-range", 0, 10485760]
]

In this case, if the uploading file size > 10mb, the upload request will be rejected by Amazon.

Of course, before starting the upload process, you should use javascript to check the file size and make some alerts if it does.

getting file size in javascript

Instinctive answered 12/8, 2014 at 16:15 Comment(6)

The policy is part of the form set on client side. If a hacker is keen enough they can decode your base64 policy and put whatever file size or type in it. – Regolith 5/9, 2017 at 15:34

@Regolith The policy document is signed, so any tampering will cause the request to fail. – Gerhard 21/9, 2017 at 15:56

To be more precise: together with the policy you send along a signature that you calculated, the key for the signature is the aws_secret_key that the client has no access to. Therefore there is no way to just change the policy while still having a proper signature. – Mirnamirror 11/6, 2019 at 7:25

Is this policy format still valid? The Node aws-sdk throws MalformedPolicy: Unknown field conditions when I try passing this policy to s3.putBucketPolicy. – Coact 15/9, 2019 at 16:46

How can we restrict the file type? like the content-type ? – Much 11/12, 2019 at 9:7

This solution is correct. If anyone wants something more palatable than the official docs this resource helped me greatly medium.com/@zaccharles/… – Weightlessness 9/11, 2020 at 15:35

AWS wrote a tutorial explaining how to create HTML POST forms that allow your web site visitors to upload files into your S3 account using a standard web browser. It uses S3 pre-signed URLs to prevent tampering and you can restrict access by file size.

Radiochemical answered 22/1, 2015 at 6:14 Comment(2)

The link is broken. – Stalagmite 4/2, 2021 at 15:1

I fixed the link – Radiochemical 4/3, 2021 at 17:50

-9

To do what you are wanting to do, you will need to upload through your own web service. This is probably best anyway, as providing global write access to your end users to your S3 bucket is a security nightmare, not too mention there would be nothing stopping them from uploading huge files and jacking up your charges.

Dextral answered 15/11, 2012 at 1:45 Comment(0)

Recommended topics

Hot tags