Mercurial > prosody-hg
comparison plugins/mod_http_file_share.lua @ 11314:7c8b02c5a335
mod_http_file_share: Add file size limit (default 10M)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 26 Jan 2021 14:53:24 +0100 |
| parents | e53894d26092 |
| children | c52fcea39c8e |
comparison
equal
deleted
inserted
replaced
| 11313:e53894d26092 | 11314:7c8b02c5a335 |
|---|---|
| 12 local st = require "util.stanza"; | 12 local st = require "util.stanza"; |
| 13 local url = require "socket.url"; | 13 local url = require "socket.url"; |
| 14 local dm = require "core.storagemanager".olddm; | 14 local dm = require "core.storagemanager".olddm; |
| 15 local jwt = require "util.jwt"; | 15 local jwt = require "util.jwt"; |
| 16 local errors = require "util.error"; | 16 local errors = require "util.error"; |
| 17 local dataform = require "util.dataforms".new; | |
| 17 | 18 |
| 18 local namespace = "urn:xmpp:http:upload:0"; | 19 local namespace = "urn:xmpp:http:upload:0"; |
| 19 | 20 |
| 20 module:depends("disco"); | 21 module:depends("disco"); |
| 21 | 22 |
| 25 local uploads = module:open_store("uploads", "archive"); | 26 local uploads = module:open_store("uploads", "archive"); |
| 26 -- id, <request>, time, owner | 27 -- id, <request>, time, owner |
| 27 | 28 |
| 28 local secret = module:get_option_string(module.name.."_secret", require"util.id".long()); | 29 local secret = module:get_option_string(module.name.."_secret", require"util.id".long()); |
| 29 local external_base_url = module:get_option_string(module.name .. "_base_url"); | 30 local external_base_url = module:get_option_string(module.name .. "_base_url"); |
| 31 local file_size_limit = module:get_option_number(module.name .. "_size_limit", 10 * 1024 * 1024); -- 10 MB | |
| 30 | 32 |
| 31 local access = module:get_option_set(module.name .. "_access", {}); | 33 local access = module:get_option_set(module.name .. "_access", {}); |
| 32 | 34 |
| 33 if not external_base_url then | 35 if not external_base_url then |
| 34 module:depends("http"); | 36 module:depends("http"); |
| 35 end | 37 end |
| 38 | |
| 39 module:add_extension(dataform { | |
| 40 { name = "FORM_TYPE", type = "hidden", value = namespace }, | |
| 41 { name = "max-file-size", type = "text-single" }, | |
| 42 }:form({ ["max-file-size"] = tostring(file_size_limit) }, "result")); | |
| 36 | 43 |
| 37 local upload_errors = errors.init(module.name, namespace, { | 44 local upload_errors = errors.init(module.name, namespace, { |
| 38 access = { "auth"; "forbidden" }; | 45 access = { "auth"; "forbidden" }; |
| 39 filename = { "modify"; "bad-request", "Invalid filename" }; | 46 filename = { "modify"; "bad-request", "Invalid filename" }; |
| 47 filesize = { "modify"; "not-acceptable"; "File too large"; | |
| 48 st.stanza("file-too-large", {xmlns = namespace}):tag("max-size"):text(tostring(file_size_limit)); }; | |
| 40 }); | 49 }); |
| 41 | 50 |
| 42 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error | 51 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error |
| 43 local uploader_host = jid.host(uploader); | 52 local uploader_host = jid.host(uploader); |
| 44 if not ((access:empty() and prosody.hosts[uploader_host]) or access:contains(uploader) or access:contains(uploader_host)) then | 53 if not ((access:empty() and prosody.hosts[uploader_host]) or access:contains(uploader) or access:contains(uploader_host)) then |
| 46 end | 55 end |
| 47 | 56 |
| 48 if not filename or filename:find"/" then | 57 if not filename or filename:find"/" then |
| 49 -- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML | 58 -- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML |
| 50 return false, upload_errors.new("filename"); | 59 return false, upload_errors.new("filename"); |
| 60 end | |
| 61 | |
| 62 if filesize > file_size_limit then | |
| 63 return false, upload_errors.new("filesize"); | |
| 51 end | 64 end |
| 52 | 65 |
| 53 return true; | 66 return true; |
| 54 end | 67 end |
| 55 | 68 |
