Fix incorrect HTTP content length limits

This commit is contained in:
Gunnar Beutner 2018-02-28 12:06:01 +01:00
parent 85858e6a36
commit 622127276b
2 changed files with 28 additions and 19 deletions

View File

@ -230,12 +230,12 @@ Available permissions for specific URL endpoints:
actions/<action> | /v1/actions | Yes | 1 actions/<action> | /v1/actions | Yes | 1
config/query | /v1/config | No | 1 config/query | /v1/config | No | 1
config/modify | /v1/config | No | 512 config/modify | /v1/config | No | 512
console | /v1/console | No | 512 console | /v1/console | No | 1
events/<type> | /v1/events | No | 1 events/<type> | /v1/events | No | 1
objects/query/<type> | /v1/objects | Yes | 1 objects/query/<type> | /v1/objects | Yes | 1
objects/create/<type> | /v1/objects | No | 512 objects/create/<type> | /v1/objects | No | 1
objects/modify/<type> | /v1/objects | Yes | 512 objects/modify/<type> | /v1/objects | Yes | 1
objects/delete/<type> | /v1/objects | Yes | 512 objects/delete/<type> | /v1/objects | Yes | 1
status/query | /v1/status | Yes | 1 status/query | /v1/status | Yes | 1
templates/<type> | /v1/templates | Yes | 1 templates/<type> | /v1/templates | Yes | 1
types | /v1/types | Yes | 1 types | /v1/types | Yes | 1

View File

@ -190,15 +190,6 @@ bool HttpServerConnection::ProcessMessage(void)
bool HttpServerConnection::ManageHeaders(HttpResponse& response) bool HttpServerConnection::ManageHeaders(HttpResponse& response)
{ {
static const size_t defaultContentLengthLimit = 1 * 1024 * 1024;
static const Dictionary::Ptr specialContentLengthLimits = new Dictionary;
specialContentLengthLimits->Set("*", 512 * 1024 * 1024);
specialContentLengthLimits->Set("config/modify", 512 * 1024 * 1024);
specialContentLengthLimits->Set("console", 512 * 1024 * 1024);
specialContentLengthLimits->Set("objects/create", 512 * 1024 * 1024);
specialContentLengthLimits->Set("objects/modify", 512 * 1024 * 1024);
specialContentLengthLimits->Set("objects/delete", 512 * 1024 * 1024);
if (m_CurrentRequest.Headers->Get("expect") == "100-continue") { if (m_CurrentRequest.Headers->Get("expect") == "100-continue") {
String continueResponse = "HTTP/1.1 100 Continue\r\n\r\n"; String continueResponse = "HTTP/1.1 100 Continue\r\n\r\n";
m_Stream->Write(continueResponse.CStr(), continueResponse.GetLength()); m_Stream->Write(continueResponse.CStr(), continueResponse.GetLength());
@ -289,16 +280,34 @@ bool HttpServerConnection::ManageHeaders(HttpResponse& response)
return false; return false;
} }
static const size_t defaultContentLengthLimit = 1 * 1024 * 1024;
size_t maxSize = defaultContentLengthLimit; size_t maxSize = defaultContentLengthLimit;
Array::Ptr permissions = m_AuthenticatedUser->GetPermissions(); Array::Ptr permissions = m_AuthenticatedUser->GetPermissions();
if (permissions) {
ObjectLock olock(permissions); ObjectLock olock(permissions);
for (const Value& permission : permissions) { for (const Value& permissionInfo : permissions) {
std::vector<String> permissionParts = String(permission).Split("/"); String permission;
String permissionPath = permissionParts[0] + (permissionParts.size() > 1 ? "/" + permissionParts[1] : "");
int size = specialContentLengthLimits->Get(permissionPath); if (permissionInfo.IsObjectType<Dictionary>())
maxSize = size > maxSize ? size : maxSize; permission = static_cast<Dictionary::Ptr>(permissionInfo)->Get("permission");
else
permission = permissionInfo;
static std::vector<std::pair<String, size_t>> specialContentLengthLimits {
{ "config/modify", 512 * 1024 * 1024 }
};
for (const auto& limitInfo : specialContentLengthLimits) {
if (limitInfo.second <= maxSize)
continue;
if (Utility::Match(permission, limitInfo.first))
maxSize = limitInfo.second;
}
}
} }
size_t contentLength = m_CurrentRequest.Headers->Get("content-length"); size_t contentLength = m_CurrentRequest.Headers->Get("content-length");