From ee2bcdec653edfc5316164f2a58bda64ed8b761f Mon Sep 17 00:00:00 2001 From: Mark Haines Date: Wed, 3 Sep 2014 17:04:00 +0100 Subject: [PATCH] Limit the size of uploads --- synapse/config/homeserver.py | 3 ++- synapse/config/repository.py | 39 ++++++++++++++++++++++++++++++ synapse/http/content_repository.py | 14 +++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 synapse/config/repository.py diff --git a/synapse/config/homeserver.py b/synapse/config/homeserver.py index a9aa4c735..1318a0eea 100644 --- a/synapse/config/homeserver.py +++ b/synapse/config/homeserver.py @@ -18,9 +18,10 @@ from .server import ServerConfig from .logger import LoggingConfig from .database import DatabaseConfig from .ratelimiting import RatelimitConfig +from .repository import ContentRepositoryConfig class HomeServerConfig(TlsConfig, ServerConfig, DatabaseConfig, LoggingConfig, - RatelimitConfig): + RatelimitConfig, ContentRepositoryConfig): pass if __name__=='__main__': diff --git a/synapse/config/repository.py b/synapse/config/repository.py new file mode 100644 index 000000000..407c8d6c2 --- /dev/null +++ b/synapse/config/repository.py @@ -0,0 +1,39 @@ +# -*- coding: utf-8 -*- +# Copyright 2014 matrix.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from ._base import Config +import os + +class ContentRepositoryConfig(Config): + def __init__(self, args): + super(ContentRepositoryConfig, self).__init__(args) + self.max_upload_size = self.parse_size(args.max_upload_size) + + def parse_size(self, string): + sizes = {"K": 1024, "M": 1024 * 1024} + size = 1 + suffix = string[-1] + if suffix in sizes: + string = string[:-1] + size = sizes[suffix] + return int(string) * size + + @classmethod + def add_arguments(cls, parser): + super(ContentRepositoryConfig, cls).add_arguments(parser) + db_group = parser.add_argument_group("content_repository") + db_group.add_argument( + "--max-upload-size", default="1M" + ) diff --git a/synapse/http/content_repository.py b/synapse/http/content_repository.py index 5f5cd9b9e..6a80c5f2c 100644 --- a/synapse/http/content_repository.py +++ b/synapse/http/content_repository.py @@ -56,6 +56,7 @@ class ContentRepoResource(resource.Resource): self.directory = directory self.auth = auth self.external_addr = external_addr.rstrip('/') + self.max_upload_size = hs.config.max_upload_size if not os.path.isdir(self.directory): os.mkdir(self.directory) @@ -155,6 +156,19 @@ class ContentRepoResource(resource.Resource): @defer.inlineCallbacks def _async_render(self, request): try: + # TODO: The checks here are a bit late. The content will have + # already been uploaded to a tmp file at this point + content_length = request.getHeader("Content-Length") + if content_length is None: + raise SynapseError( + msg="Request must specify a Content-Length", code=400 + ) + if int(content_length) > self.max_upload_size: + raise SynapseError( + msg="Upload request body is too large", + code=413, + ) + fname = yield self.map_request_to_name(request) # TODO I have a suspcious feeling this is just going to block