Software /
code /
prosody-modules
Diff
mod_rest/mod_rest.lua @ 5701:0cffeff2cd1d
mod_rest: Limit payload size (cf stanza size limits)
Otherwise the limit would be defined by the HTTP stack.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 25 Oct 2023 15:36:20 +0200 |
parent | 5585:5b316088bef5 |
line wrap: on
line diff
--- a/mod_rest/mod_rest.lua Sat Oct 14 23:05:59 2023 +0200 +++ b/mod_rest/mod_rest.lua Wed Oct 25 15:36:20 2023 +0200 @@ -20,6 +20,9 @@ local tokens = module:depends("tokenauth"); +-- Lower than the default c2s size limit to account for possible JSON->XML size increase +local stanza_size_limit = module:get_option_number("rest_stanza_size_limit", 1024 * 192); + local auth_mechanisms = module:get_option_set("rest_auth_mechanisms", { "Basic", "Bearer" }); local www_authenticate_header; @@ -277,6 +280,7 @@ iq_type = { code = 422; type = "modify"; condition = "invalid-xml"; text = "'iq' stanza must be of type 'get' or 'set'" }; iq_tags = { code = 422; type = "modify"; condition = "bad-format"; text = "'iq' stanza must have exactly one child tag" }; mediatype = { code = 415; type = "cancel"; condition = "bad-format"; text = "Unsupported media type" }; + size = { code = 413; type = "modify"; condition = "resource-constraint", text = "Payload too large" }; }); -- GET → iq-get @@ -313,6 +317,9 @@ origin.type = "c2s"; origin.log = log; end + if type(request.body) == "string" and #request.body > stanza_size_limit then + return post_errors.new("size", { size = #request.body; limit = stanza_size_limit }); + end local payload, err = parse_request(request, path); if not payload then -- parse fail