[Rt-commit] rt branch, 4.4/check-uploaded-file-size, created. rt-4.4.2-99-g3a5e2ad36
? sunnavy
sunnavy at bestpractical.com
Fri Mar 16 11:21:06 EDT 2018
The branch, 4.4/check-uploaded-file-size has been created
at 3a5e2ad365f45dd267059f8b83b35fe7a0ecaedf (commit)
- Log -----------------------------------------------------------------
commit 3a5e2ad365f45dd267059f8b83b35fe7a0ecaedf
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Mar 16 21:51:10 2018 +0800
Check uploaded file size at server side for Dropzone
At client side, we have "maxFilesize" config, which could prevent
oversized files from being uploaded but it's not always accurate because
of the encoding overhead for dbs without binary safe blobs support.
Besides, it's more reliable to check size at server side considering
client js code could be easily modified.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index aff0f4801..5a7eef1b0 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -2485,6 +2485,9 @@ sub ProcessAttachments {
my %args = (
ARGSRef => {},
Token => '',
+ # For back-compatibility, CheckSize is not enabled by default. But for
+ # callers that mean to check returned values, it's safe to enable.
+ CheckSize => wantarray ? 1 : 0,
@_
);
@@ -2512,11 +2515,30 @@ sub ProcessAttachments {
# hence it was not decoded along with all of the standard
# arguments in DecodeARGS
my $file_path = Encode::decode( "UTF-8", "$new");
+
+ if ( $args{CheckSize} and my $max_size = RT->Config->Get( 'MaxAttachmentSize' ) ) {
+ my $content = $attachment->bodyhandle->as_string;
+
+ # The same encoding overhead as in Record.pm
+ $max_size *= 3 / 4 if !$RT::Handle->BinarySafeBLOBs && $content =~ /\x00/;
+ if ( length $content > $max_size ) {
+ my $file_name = ( File::Spec->splitpath( $file_path ) )[ 2 ];
+ return (
+ 0,
+ loc(
+ "File '[_1]' size([_2] bytes) exceeds limit([_3] bytes)",
+ $file_name, length $content, $max_size
+ )
+ );
+ }
+ }
+
$session{'Attachments'}{ $token }{ $file_path } = $attachment;
$update_session = 1;
}
$session{'Attachments'} = $session{'Attachments'} if $update_session;
+ return 1;
}
diff --git a/share/html/Helpers/Upload/Add b/share/html/Helpers/Upload/Add
index 2e8b064aa..b54cf3f58 100644
--- a/share/html/Helpers/Upload/Add
+++ b/share/html/Helpers/Upload/Add
@@ -51,8 +51,16 @@ $Token => ''
<%init>
-ProcessAttachments( Token => $Token, ARGSRef => \%ARGS );
-$r->content_type('application/json; charset=utf-8');
-$m->out( JSON({status => 'success'}) );
+my ( $status, $msg ) = ProcessAttachments( Token => $Token, ARGSRef => \%ARGS );
+if ( $status ) {
+ $r->content_type( 'application/json; charset=utf-8' );
+ $m->out( JSON( { status => 'success' } ) );
+}
+else {
+ $r->status( 400 );
+ $r->content_type( 'text/plain; charset=utf-8' );
+ $m->out( $msg );
+}
+
$m->abort;
</%init>
diff --git a/share/html/SelfService/Helpers/Upload/Add b/share/html/SelfService/Helpers/Upload/Add
index 2e8b064aa..b54cf3f58 100644
--- a/share/html/SelfService/Helpers/Upload/Add
+++ b/share/html/SelfService/Helpers/Upload/Add
@@ -51,8 +51,16 @@ $Token => ''
<%init>
-ProcessAttachments( Token => $Token, ARGSRef => \%ARGS );
-$r->content_type('application/json; charset=utf-8');
-$m->out( JSON({status => 'success'}) );
+my ( $status, $msg ) = ProcessAttachments( Token => $Token, ARGSRef => \%ARGS );
+if ( $status ) {
+ $r->content_type( 'application/json; charset=utf-8' );
+ $m->out( JSON( { status => 'success' } ) );
+}
+else {
+ $r->status( 400 );
+ $r->content_type( 'text/plain; charset=utf-8' );
+ $m->out( $msg );
+}
+
$m->abort;
</%init>
-----------------------------------------------------------------------
More information about the rt-commit
mailing list