# HG changeset patch # User Kim Alvefur # Date 1611704209 -3600 # Node ID a4b299e37909f7da798680152617a9c9bb13cea9 # Parent 3b16aba6285fe03065fe6076bfaf22dee0f348ef mod_http_file_share: Reject invalid file sizes diff -r 3b16aba6285f -r a4b299e37909 plugins/mod_http_file_share.lua --- a/plugins/mod_http_file_share.lua Wed Jan 27 00:29:12 2021 +0100 +++ b/plugins/mod_http_file_share.lua Wed Jan 27 00:36:49 2021 +0100 @@ -48,6 +48,7 @@ filetype = { type = "modify"; condition = "not-acceptable"; text = "File type not allowed" }; filesize = { type = "modify"; condition = "not-acceptable"; text = "File too large"; extra = {tag = st.stanza("file-too-large", {xmlns = namespace}):tag("max-file-size"):text(tostring(file_size_limit)) }; + filesizefmt = { type = "modify"; condition = "bad-request"; text = "File size must be positive integer"; } }; }); @@ -62,6 +63,9 @@ return false, upload_errors.new("filename"); end + if not filesize or filesize < 0 or filesize % 1 ~= 0 then + return false, upload_errors.new("filesizefmt"); + end if filesize > file_size_limit then return false, upload_errors.new("filesize"); end diff -r 3b16aba6285f -r a4b299e37909 spec/scansion/http_upload.scs --- a/spec/scansion/http_upload.scs Wed Jan 27 00:29:12 2021 +0100 +++ b/spec/scansion/http_upload.scs Wed Jan 27 00:36:49 2021 +0100 @@ -38,6 +38,19 @@ Romeo sends: + + + + +Romeo receives: + + + + File size must be positive integer + + + +Romeo sends: