From 5eb1c392311cde904a3dab289ae58c04be03eaf9 Mon Sep 17 00:00:00 2001 From: Fred Gleason Date: Wed, 17 May 2023 13:19:59 -0400 Subject: [PATCH] 2023-05-17 Fred Gleason * Fixed a regression in the WebAPI that caused imports to bypass the maximum file size limitation set the 'System Settings' in rdadmin(1). Signed-off-by: Fred Gleason --- ChangeLog | 3 +++ lib/rdformpost.cpp | 13 +++++++++---- lib/rdformpost.h | 4 ++-- lib/rdsystem.cpp | 10 +++++----- lib/rdsystem.h | 6 +++--- lib/rdweb.cpp | 11 +++++++++++ lib/rdweb.h | 2 ++ web/rdxport/rdxport.cpp | 3 ++- 8 files changed, 37 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 58e2426a..e0938b9c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24121,3 +24121,6 @@ 2023-05-16 Fred Gleason * Refactored rdrssd(8) to process feeds at two seconds after each minute. +2023-05-17 Fred Gleason + * Fixed a regression in the WebAPI that caused imports to bypass the + maximum file size limitation set the 'System Settings' in rdadmin(1). diff --git a/lib/rdformpost.cpp b/lib/rdformpost.cpp index 1882852e..a3cd7097 100644 --- a/lib/rdformpost.cpp +++ b/lib/rdformpost.cpp @@ -33,7 +33,7 @@ #include -RDFormPost::RDFormPost(RDFormPost::Encoding encoding,unsigned maxsize, +RDFormPost::RDFormPost(RDFormPost::Encoding encoding,int64_t maxsize, bool auto_delete) { bool ok=false; @@ -70,8 +70,12 @@ RDFormPost::RDFormPost(RDFormPost::Encoding encoding,unsigned maxsize, post_error=RDFormPost::ErrorPostTooLarge; return; } - post_content_length=QString(getenv("CONTENT_LENGTH")).toUInt(&ok); - if((!ok)||((maxsize>0)&&(post_content_length>maxsize))) { + post_content_length=QString(getenv("CONTENT_LENGTH")).toLongLong(&ok); + if((!ok)||(post_content_length<0)) { + post_error=RDFormPost::ErrorMalformedData; + return; + } + if((maxsize>0)&&(post_content_length>maxsize)) { post_error=RDFormPost::ErrorPostTooLarge; return; } @@ -562,7 +566,8 @@ void RDFormPost::LoadUrlEncoding(char first) total_read+=n; } - post_data[post_content_length]=0; + // post_data[post_content_length]=0; + post_data[total_read]=0; lines=QString(post_data).split("&"); for(int i=0;i post_filenames; RDTempDirectory *post_tempdir; bool post_auto_delete; - unsigned post_content_length; + int64_t post_content_length; QString post_content_type; char *post_data; QString post_separator; diff --git a/lib/rdsystem.cpp b/lib/rdsystem.cpp index 232a89d9..8c331f1c 100644 --- a/lib/rdsystem.cpp +++ b/lib/rdsystem.cpp @@ -106,14 +106,14 @@ void RDSystem::setFixDuplicateCartTitles(bool state) const } -unsigned RDSystem::maxPostLength() const +int64_t RDSystem::maxPostLength() const { - unsigned ret; + int64_t ret; QString sql="select `MAX_POST_LENGTH` from `SYSTEM`"; RDSqlQuery *q=new RDSqlQuery(sql); if(q->first()) { - ret=q->value(0).toUInt(); + ret=q->value(0).toLongLong(); } else { ret=RD_DEFAULT_MAX_POST_LENGTH; @@ -123,10 +123,10 @@ unsigned RDSystem::maxPostLength() const } -void RDSystem::setMaxPostLength(unsigned bytes) const +void RDSystem::setMaxPostLength(int64_t bytes) const { QString sql= - QString::asprintf("update `SYSTEM` set `MAX_POST_LENGTH`=%u",bytes); + QString::asprintf("update `SYSTEM` set `MAX_POST_LENGTH`=%ld",bytes); RDSqlQuery::apply(sql); } diff --git a/lib/rdsystem.h b/lib/rdsystem.h index e88c6519..435f7769 100644 --- a/lib/rdsystem.h +++ b/lib/rdsystem.h @@ -2,7 +2,7 @@ // // System-wide Rivendell settings // -// (C) Copyright 2009-2021 Fred Gleason +// (C) Copyright 2009-2023 Fred Gleason // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License version 2 as @@ -36,8 +36,8 @@ class RDSystem void setAllowDuplicateCartTitles(bool state) const; bool fixDuplicateCartTitles() const; void setFixDuplicateCartTitles(bool state) const; - unsigned maxPostLength() const; - void setMaxPostLength(unsigned bytes) const; + int64_t maxPostLength() const; + void setMaxPostLength(int64_t bytes) const; QString isciXreferencePath() const; void setIsciXreferencePath(const QString &str) const; QString originEmailAddress() const; diff --git a/lib/rdweb.cpp b/lib/rdweb.cpp index 7160a132..0c31351c 100644 --- a/lib/rdweb.cpp +++ b/lib/rdweb.cpp @@ -80,6 +80,17 @@ QString RDXmlField(const QString &tag,const int value,const QString &attrs) } +QString RDXmlField(const QString &tag,const int64_t value,const QString &attrs) +{ + QString str=""; + + if(!attrs.isEmpty()) { + str=" "+attrs; + } + return QString("<")+tag+str+">"+QString::asprintf("%ld",value)+"\n"; +} + + QString RDXmlField(const QString &tag,const unsigned value,const QString &attrs) { QString str=""; diff --git a/lib/rdweb.h b/lib/rdweb.h index f12c2d2f..dac9e1b0 100644 --- a/lib/rdweb.h +++ b/lib/rdweb.h @@ -38,6 +38,8 @@ extern QString RDXmlField(const QString &tag,const char *value, const QString &attrs=""); extern QString RDXmlField(const QString &tag,const int value, const QString &attrs=""); +extern QString RDXmlField(const QString &tag,const int64_t value, + const QString &attrs=""); extern QString RDXmlField(const QString &tag,const unsigned value, const QString &attrs=""); extern QString RDXmlField(const QString &tag,const bool value, diff --git a/web/rdxport/rdxport.cpp b/web/rdxport/rdxport.cpp index 46bdafde..213cf7bd 100644 --- a/web/rdxport/rdxport.cpp +++ b/web/rdxport/rdxport.cpp @@ -112,7 +112,8 @@ Xport::Xport(QObject *parent) // // Generate Post // - xport_post=new RDFormPost(RDFormPost::AutoEncoded,false); + xport_post=new RDFormPost(RDFormPost::AutoEncoded, + rda->system()->maxPostLength(),false); if(xport_post->error()!=RDFormPost::ErrorOk) { XmlExit(xport_post->errorString(xport_post->error()),400,"rdxport.cpp", LINE_NUMBER);