Comparison

plugins/mod_http_file_share.lua @ 11319:a4b299e37909

mod_http_file_share: Reject invalid file sizes
author Kim Alvefur <zash@zash.se>
date Wed, 27 Jan 2021 00:36:49 +0100
parent 11318:3b16aba6285f
child 11320:817cadf6be92
comparison
equal deleted inserted replaced
11318:3b16aba6285f 11319:a4b299e37909
46 access = { type = "auth"; condition = "forbidden" }; 46 access = { type = "auth"; condition = "forbidden" };
47 filename = { type = "modify"; condition = "bad-request"; text = "Invalid filename" }; 47 filename = { type = "modify"; condition = "bad-request"; text = "Invalid filename" };
48 filetype = { type = "modify"; condition = "not-acceptable"; text = "File type not allowed" }; 48 filetype = { type = "modify"; condition = "not-acceptable"; text = "File type not allowed" };
49 filesize = { type = "modify"; condition = "not-acceptable"; text = "File too large"; 49 filesize = { type = "modify"; condition = "not-acceptable"; text = "File too large";
50 extra = {tag = st.stanza("file-too-large", {xmlns = namespace}):tag("max-file-size"):text(tostring(file_size_limit)) }; 50 extra = {tag = st.stanza("file-too-large", {xmlns = namespace}):tag("max-file-size"):text(tostring(file_size_limit)) };
51 filesizefmt = { type = "modify"; condition = "bad-request"; text = "File size must be positive integer"; }
51 }; 52 };
52 }); 53 });
53 54
54 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error 55 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error
55 local uploader_host = jid.host(uploader); 56 local uploader_host = jid.host(uploader);
60 if not filename or filename:find"/" then 61 if not filename or filename:find"/" then
61 -- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML 62 -- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML
62 return false, upload_errors.new("filename"); 63 return false, upload_errors.new("filename");
63 end 64 end
64 65
66 if not filesize or filesize < 0 or filesize % 1 ~= 0 then
67 return false, upload_errors.new("filesizefmt");
68 end
65 if filesize > file_size_limit then 69 if filesize > file_size_limit then
66 return false, upload_errors.new("filesize"); 70 return false, upload_errors.new("filesize");
67 end 71 end
68 72
69 if not ( file_types:empty() or file_types:contains(filetype) or file_types:contains(filetype:gsub("/.*", "/*")) ) then 73 if not ( file_types:empty() or file_types:contains(filetype) or file_types:contains(filetype:gsub("/.*", "/*")) ) then