# HG changeset patch # User Kim Alvefur # Date 1611766024 -3600 # Node ID a853a018eede6ae841b506f82484f0570a608e2a # Parent 4ade9810ce35f3135e8123bf2e405a5b0c26ce17 mod_http_file_share: Validate file size early in HTTP PUT request diff -r 4ade9810ce35 -r a853a018eede plugins/mod_http_file_share.lua --- a/plugins/mod_http_file_share.lua Wed Jan 27 17:34:48 2021 +0100 +++ b/plugins/mod_http_file_share.lua Wed Jan 27 17:47:04 2021 +0100 @@ -165,6 +165,11 @@ module:log("debug", "Invalid upload slot: %q, path: %q", upload_info.slot, path); return 400; end + if request.headers.content_length and tonumber(request.headers.content_length) ~= upload_info.filesize then + return 413; + -- Note: We don't know the size if the upload is streamed in chunked encoding, + -- so we also check the final file size on completion. + end local filename = dm.getpath(upload_info.slot, module.host, module.name, nil, true);