diff options
author | Christian Pointner <equinox@helsinki.at> | 2016-06-27 20:49:00 (GMT) |
---|---|---|
committer | Christian Pointner <equinox@helsinki.at> | 2016-06-27 20:49:00 (GMT) |
commit | e6eeeb7ff9b50163f526297450321f8a47e4fb17 (patch) | |
tree | 37f14ab20d79488d6a4c8e22fc560ededd49e390 | |
parent | 92b427a54c5782fea71af3709ac564ba4dc67e57 (diff) |
enforce maximum file size
-rw-r--r-- | rhimport/core.go | 2 | ||||
-rw-r--r-- | rhimport/fetcher.go | 41 |
2 files changed, 34 insertions, 9 deletions
diff --git a/rhimport/core.go b/rhimport/core.go index 7880d95..6a495a4 100644 --- a/rhimport/core.go +++ b/rhimport/core.go @@ -37,6 +37,8 @@ import ( const ( CART_MAX = 999999 CUT_MAX = 999 + // not sure if rdxport.cgi can handle filesizes > MAX(INT32) + FILESIZE_MAX = (2 * 1024 * 1024 * 1024) - 1 ) var ( diff --git a/rhimport/fetcher.go b/rhimport/fetcher.go index d923f24..5fa442e 100644 --- a/rhimport/fetcher.go +++ b/rhimport/fetcher.go @@ -111,6 +111,12 @@ func curlProgressCallback(dltotal, dlnow, ultotal, ulnow float64, userdata inter return false } + if dltotal > float64(FILESIZE_MAX) { + data.res.ResponseCode = http.StatusRequestEntityTooLarge + data.res.ErrorString = "file exceeds maximum file size" + return false + } + if data.ctx.ProgressCallBack != nil { if keep := data.ctx.ProgressCallBack(1, "downloading", dlnow, dltotal, data.ctx.ProgressCallBackData); !keep { data.ctx.ProgressCallBack = nil @@ -301,29 +307,35 @@ func fetchFileDir(ctx *Context, res *Result, uri *url.URL, dir string) (err erro res.ErrorString = fmt.Sprintf("local-file open(): %s", err) return nil } - size := float64(0) + defer src.Close() + + size := int64(0) if info, err := src.Stat(); err != nil { res.ResponseCode = http.StatusBadRequest res.ErrorString = fmt.Sprintf("local-file stat(): %s", err) return nil } else { - size = float64(info.Size()) + size = info.Size() if info.IsDir() { res.ResponseCode = http.StatusBadRequest res.ErrorString = fmt.Sprintf("'%s' is a directory", ctx.SourceFile) return nil } } + if size > FILESIZE_MAX { + res.ResponseCode = http.StatusRequestEntityTooLarge + res.ErrorString = "file exceeds maximum file size" + return nil + } + if ctx.ProgressCallBack != nil { - if keep := ctx.ProgressCallBack(1, "fetching", 0.0, size, ctx.ProgressCallBackData); !keep { + if keep := ctx.ProgressCallBack(1, "fetching", 0.0, float64(size), ctx.ProgressCallBackData); !keep { ctx.ProgressCallBack = nil } } - src.Close() - if ctx.ProgressCallBack != nil { - if keep := ctx.ProgressCallBack(1, "fetching", size, size, ctx.ProgressCallBackData); !keep { + if keep := ctx.ProgressCallBack(1, "fetching", float64(size), float64(size), ctx.ProgressCallBackData); !keep { ctx.ProgressCallBack = nil } } @@ -377,7 +389,7 @@ func writeAttachmentFile(ctx *Context, res *Result, sizeTotal uint64, src *os.Fi cancel = make(<-chan bool) } - written := 0 + written := uint64(0) for { select { case <-cancel: @@ -393,12 +405,18 @@ func writeAttachmentFile(ctx *Context, res *Result, sizeTotal uint64, src *os.Fi return nil } + left := sizeTotal - written + if int(left) < len(data) { + rhl.Printf("attachment fetcher: truncating ") + data = data[0:left] + } + w, err := src.Write(data) if err != nil { rhl.Printf("Unable to write file %s: %s", ctx.SourceFile, err) return err } - written += w + written += uint64(w) if ctx.ProgressCallBack != nil { if keep := ctx.ProgressCallBack(1, "receiving", float64(written), float64(sizeTotal), ctx.ProgressCallBackData); !keep { @@ -420,12 +438,17 @@ func fetchFileAttachment(ctx *Context, res *Result, uri *url.URL) error { return fmt.Errorf("attachement channel is nil") } - sizeTotal, err := strconv.ParseUint(uri.Host, 10, 32) + sizeTotal, err := strconv.ParseUint(uri.Host, 10, 64) if err != nil { res.ResponseCode = http.StatusBadRequest res.ErrorString = "invalid attachment size (must be a positive integer)" return nil } + if sizeTotal > FILESIZE_MAX { + res.ResponseCode = http.StatusRequestEntityTooLarge + res.ErrorString = "file exceeds maximum file size" + return nil + } basepath, err := ioutil.TempDir(ctx.conf.TempDir, "rhimportd-") if err != nil { |