mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2026-02-26 21:43:08 -07:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(http): enforce size limit for unknown uploads

Browse source
This commit is contained in:
Prashikshit Saini 2026-02-04 20:26:44 -06:00
parent 16403d8c6c
commit adc675d447
1 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
copyparty/httpcli.py
View file

@ -2421,6 +2421,7 @@ class HttpCli(object):
vfs, rem = self.asrv.vfs.get(self.vpath, self.uname, False, True) vfs, rem = self.asrv.vfs.get(self.vpath, self.uname, False, True)
rnd, lifetime, xbu, xau = self.upload_flags(vfs) rnd, lifetime, xbu, xau = self.upload_flags(vfs)
lim = vfs.get_dbv(rem)[0].lim lim = vfs.get_dbv(rem)[0].lim
max_sz = lim.smax if lim else 0
fdir = vfs.canonical(rem) fdir = vfs.canonical(rem)
fn = None fn = None
if rem and not self.trailing_slash and not bos.path.isdir(fdir): if rem and not self.trailing_slash and not bos.path.isdir(fdir):
@ -2620,7 +2621,38 @@ class HttpCli(object):
try: try:
path = os.path.join(fdir, fn) path = os.path.join(fdir, fn)
if max_sz and remains == -1:
if "apnd" in self.uparam and not self.args.nw:
try:
pre_sz = bos.path.getsize(path)
except Exception:
pre_sz = 0
else:
pre_sz = 0
if pre_sz >= max_sz:
raise Pebkac(400, "file too big")
def limit_reader(fin, limit):
total = 0
for buf in fin:
if not buf:
break
total += len(buf)
if total > limit:
raise Pebkac(400, "file too big")
yield buf
reader = limit_reader(reader, max_sz - pre_sz)
post_sz, sha_hex, sha_b64 = copier(reader, f, hasher, 0, self.args.s_wr_slp) post_sz, sha_hex, sha_b64 = copier(reader, f, hasher, 0, self.args.s_wr_slp)
except Pebkac:
if not self.args.nw:
try:
wunlink(self.log, path, vfs.flags)
except Exception:
pass
raise
finally: finally:
f.close() f.close()