johanels/photoprism
1
0
Fork 0
mirror of https://github.com/photoprism/photoprism.git synced 2025-12-12 00:34:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Upload: Reject files that exceed the originals limit #4929 #4895 #2049

Browse Source 
Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer
2025-04-05 12:43:51 +02:00
parent b0e42bebf1
commit fe424d8966
5 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/api/users_upload.go
View File

@@ -92,6 +92,7 @@ func UploadUserFiles(router *gin.RouterGroup) {
allowedExt := conf.UploadAllow() allowedExt := conf.UploadAllow()
rejectArchives := !conf.UploadArchives() rejectArchives := !conf.UploadArchives()
rejectRaw := conf.DisableRaw() rejectRaw := conf.DisableRaw()
sizeLimit := conf.OriginalsLimitBytes()
// Save uploaded files and append their names // Save uploaded files and append their names
// to "uploads" if they pass all checks. // to "uploads" if they pass all checks.
@@ -107,6 +108,9 @@ func UploadUserFiles(router *gin.RouterGroup) {
} else if allowedExt.Excludes(fileType.DefaultExt()) { } else if allowedExt.Excludes(fileType.DefaultExt()) {
log.Errorf("upload: rejected %s because its extension is not allowed", clean.Log(baseName)) log.Errorf("upload: rejected %s because its extension is not allowed", clean.Log(baseName))
continue continue
} else if sizeLimit > 0 && file.Size > sizeLimit {
log.Errorf("upload: rejected %s because its size exceeds the file size limit", clean.Log(baseName))
continue
} }
// Save uploaded file in the user upload path. // Save uploaded file in the user upload path.
@@ -128,7 +132,7 @@ func UploadUserFiles(router *gin.RouterGroup) {
continue continue
} }
zipFiles, zipErr := fs.Unzip(destName, uploadDir) zipFiles, zipErr := fs.Unzip(destName, uploadDir, sizeLimit)
logWarn("upload", os.Remove(destName)) logWarn("upload", os.Remove(destName))

2
internal/commands/commands_test.go
View File

@@ -15,6 +15,8 @@ import (
) )
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
_ = os.Setenv("TF_CPP_MIN_LOG_LEVEL", "2")
log = logrus.StandardLogger() log = logrus.StandardLogger()
log.SetLevel(logrus.TraceLevel) log.SetLevel(logrus.TraceLevel)
event.AuditLog = log event.AuditLog = log

2
internal/config/test.go
View File

@@ -347,7 +347,7 @@ func (c *Config) DownloadTestData() error {
// UnzipTestData extracts tests files from the zip archive. // UnzipTestData extracts tests files from the zip archive.
func (c *Config) UnzipTestData() error { func (c *Config) UnzipTestData() error {
if _, err := fs.Unzip(TestDataZip, c.StoragePath()); err != nil { if _, err := fs.Unzip(TestDataZip, c.StoragePath(), 2*fs.GB); err != nil {
return fmt.Errorf("config: could not unzip test data: %s", err.Error()) return fmt.Errorf("config: could not unzip test data: %s", err.Error())
} }

4
pkg/fs/zip.go
View File

@@ -91,7 +91,7 @@ func ZipFile(zipWriter *zip.Writer, fileName, fileAlias string, compress bool) (
} }
// Unzip extracts the contents of a zip file to the target directory. // Unzip extracts the contents of a zip file to the target directory.
func Unzip(zipName, dir string) (files []string, err error) { func Unzip(zipName, dir string, sizeLimit int64) (files []string, err error) {
zipReader, err := zip.OpenReader(zipName) zipReader, err := zip.OpenReader(zipName)
if err != nil { if err != nil {
@@ -104,6 +104,8 @@ func Unzip(zipName, dir string) (files []string, err error) {
// Skip directories like __OSX and potentially malicious file names containing "..". // Skip directories like __OSX and potentially malicious file names containing "..".
if strings.HasPrefix(zipFile.Name, "__") || strings.Contains(zipFile.Name, "..") { if strings.HasPrefix(zipFile.Name, "__") || strings.Contains(zipFile.Name, "..") {
continue continue
} else if sizeLimit > 0 && zipFile.UncompressedSize64 > uint64(sizeLimit) {
continue
} }
fileName, unzipErr := UnzipFile(zipFile, dir) fileName, unzipErr := UnzipFile(zipFile, dir)

4
pkg/fs/zip_test.go
View File

@@ -27,7 +27,7 @@ func TestZip(t *testing.T) {
t.Logf("%s: %d bytes", zipName, info.Size()) t.Logf("%s: %d bytes", zipName, info.Size())
} }
if unzipFiles, err := Unzip(zipName, unzipDir); err != nil { if unzipFiles, err := Unzip(zipName, unzipDir, 2*GB); err != nil {
t.Error(err) t.Error(err)
} else { } else {
t.Logf("%s: %#v", zipName, unzipFiles) t.Logf("%s: %#v", zipName, unzipFiles)
@@ -59,7 +59,7 @@ func TestZip(t *testing.T) {
t.Logf("%s: %d bytes", zipName, info.Size()) t.Logf("%s: %d bytes", zipName, info.Size())
} }
if unzipFiles, err := Unzip(zipName, unzipDir); err != nil { if unzipFiles, err := Unzip(zipName, unzipDir, 2*GB); err != nil {
t.Error(err) t.Error(err)
} else { } else {
t.Logf("%s: %#v", zipName, unzipFiles) t.Logf("%s: %#v", zipName, unzipFiles)