2023-05-17 Fred Gleason <fredg@paravelsystems.com>

* Fixed a regression in the WebAPI that caused imports to bypass the
	maximum file size limitation set the 'System Settings' in rdadmin(1).

Signed-off-by: Fred Gleason <fredg@paravelsystems.com>

ChangeLog

@@ -24121,3 +24121,6 @@
 2023-05-16 Fred Gleason <fredg@paravelsystems.com>
 	* Refactored rdrssd(8) to process feeds at two seconds after each
 	minute.
+2023-05-17 Fred Gleason <fredg@paravelsystems.com>
+	* Fixed a regression in the WebAPI that caused imports to bypass the
+	maximum file size limitation set the 'System Settings' in rdadmin(1).

lib/rdformpost.cpp

@@ -33,7 +33,7 @@
 
 #include <rdformpost.h>
 
-RDFormPost::RDFormPost(RDFormPost::Encoding encoding,unsigned maxsize,
+RDFormPost::RDFormPost(RDFormPost::Encoding encoding,int64_t maxsize,
 		       bool auto_delete)
 {
   bool ok=false;
@@ -70,8 +70,12 @@ RDFormPost::RDFormPost(RDFormPost::Encoding encoding,unsigned maxsize,
     post_error=RDFormPost::ErrorPostTooLarge;
     return;
   }
-  post_content_length=QString(getenv("CONTENT_LENGTH")).toUInt(&ok);
-  if((!ok)||((maxsize>0)&&(post_content_length>maxsize))) {
+  post_content_length=QString(getenv("CONTENT_LENGTH")).toLongLong(&ok);
+  if((!ok)||(post_content_length<0)) {
+    post_error=RDFormPost::ErrorMalformedData;
+    return;
+  }
+  if((maxsize>0)&&(post_content_length>maxsize)) {
     post_error=RDFormPost::ErrorPostTooLarge;
     return;
   }
@@ -562,7 +566,8 @@ void RDFormPost::LoadUrlEncoding(char first)
     total_read+=n;
   }
 
-  post_data[post_content_length]=0;
+  //  post_data[post_content_length]=0;
+  post_data[total_read]=0;
   lines=QString(post_data).split("&");
   for(int i=0;i<lines.size();i++) {
     line=lines[i].split("=",QString::KeepEmptyParts);

lib/rdformpost.h

@@ -37,7 +37,7 @@ class RDFormPost
   enum Encoding {UrlEncoded=0,MultipartEncoded=1,AutoEncoded=2};
   enum Error {ErrorOk=0,ErrorNotPost=1,ErrorNoTempDir=2,ErrorMalformedData=3,
 	      ErrorPostTooLarge=4,ErrorInternal=5,ErrorNotInitialized=6};
-  RDFormPost(RDFormPost::Encoding encoding,unsigned maxsize=0,
+  RDFormPost(RDFormPost::Encoding encoding,int64_t maxsize=0,
 	     bool auto_delete=true);
   ~RDFormPost();
   RDFormPost::Error error() const;
@@ -76,7 +76,7 @@ class RDFormPost
   QMap<QString,bool> post_filenames;
   RDTempDirectory *post_tempdir;
   bool post_auto_delete;
-  unsigned post_content_length;
+  int64_t post_content_length;
   QString post_content_type;
   char *post_data;
   QString post_separator;

lib/rdsystem.cpp

@@ -106,14 +106,14 @@ void RDSystem::setFixDuplicateCartTitles(bool state) const
 }
 
 
-unsigned RDSystem::maxPostLength() const
+int64_t RDSystem::maxPostLength() const
 {
-  unsigned ret;
+  int64_t ret;
 
   QString sql="select `MAX_POST_LENGTH` from `SYSTEM`";
   RDSqlQuery *q=new RDSqlQuery(sql);
   if(q->first()) {
-    ret=q->value(0).toUInt();
+    ret=q->value(0).toLongLong();
   }
   else {
     ret=RD_DEFAULT_MAX_POST_LENGTH;
@@ -123,10 +123,10 @@ unsigned RDSystem::maxPostLength() const
 }
 
 
-void RDSystem::setMaxPostLength(unsigned bytes) const
+void RDSystem::setMaxPostLength(int64_t bytes) const
 {
   QString sql=
-    QString::asprintf("update `SYSTEM` set `MAX_POST_LENGTH`=%u",bytes);
+    QString::asprintf("update `SYSTEM` set `MAX_POST_LENGTH`=%ld",bytes);
   RDSqlQuery::apply(sql);
 }
 

lib/rdsystem.h

@@ -2,7 +2,7 @@
 //
 // System-wide Rivendell settings
 //
-//   (C) Copyright 2009-2021 Fred Gleason <fredg@paravelsystems.com>
+//   (C) Copyright 2009-2023 Fred Gleason <fredg@paravelsystems.com>
 //
 //   This program is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU General Public License version 2 as
@@ -36,8 +36,8 @@ class RDSystem
   void setAllowDuplicateCartTitles(bool state) const;
   bool fixDuplicateCartTitles() const;
   void setFixDuplicateCartTitles(bool state) const;
-  unsigned maxPostLength() const;
-  void setMaxPostLength(unsigned bytes) const;
+  int64_t maxPostLength() const;
+  void setMaxPostLength(int64_t bytes) const;
   QString isciXreferencePath() const;
   void setIsciXreferencePath(const QString &str) const;
   QString originEmailAddress() const;

lib/rdweb.cpp

@@ -80,6 +80,17 @@ QString RDXmlField(const QString &tag,const int value,const QString &attrs)
 }
 
 
+QString RDXmlField(const QString &tag,const int64_t value,const QString &attrs)
+{
+  QString str="";
+
+  if(!attrs.isEmpty()) {
+    str=" "+attrs;
+  }
+  return QString("<")+tag+str+">"+QString::asprintf("%ld",value)+"</"+tag+">\n";
+}
+
+
 QString RDXmlField(const QString &tag,const unsigned value,const QString &attrs)
 {
   QString str="";

lib/rdweb.h

@@ -38,6 +38,8 @@ extern QString RDXmlField(const QString &tag,const char *value,
 			  const QString &attrs="");
 extern QString RDXmlField(const QString &tag,const int value,
 			  const QString &attrs="");
+extern QString RDXmlField(const QString &tag,const int64_t value,
+			  const QString &attrs="");
 extern QString RDXmlField(const QString &tag,const unsigned value,
 			  const QString &attrs="");
 extern QString RDXmlField(const QString &tag,const bool value,

web/rdxport/rdxport.cpp

@@ -112,7 +112,8 @@ Xport::Xport(QObject *parent)
   //
   // Generate Post
   //
-  xport_post=new RDFormPost(RDFormPost::AutoEncoded,false);
+  xport_post=new RDFormPost(RDFormPost::AutoEncoded,
+			    rda->system()->maxPostLength(),false);
   if(xport_post->error()!=RDFormPost::ErrorOk) {
     XmlExit(xport_post->errorString(xport_post->error()),400,"rdxport.cpp",
 	    LINE_NUMBER);