pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-12 17:14:46 +02:00
Code Activity

OutgoingWebRequest max_size is now also obeyed for file-backed URL API.

Browse Source 
And the defines are more clear now (if .max_size is not set by caller.

DOWNLOAD_MAX_SIZE_MEMORY_BACKED: 1M
DOWNLOAD_MAX_SIZE_FILE_BACKED: 50M

The file-backed is mostly a defense-in-depth measure, so we don't
store infinite amounts of data in a download. Even though, in practice,
these - at least at the moment in unrealircd itself - all come from
trusted paths like remote includes.

In url_unreal.c we do the counting ourselves. In url_curl.c we use the
option CURLOPT_MAXFILESIZE_LARGE but this does not ensure it in all
cases so we still do our own counting as well in that file as well.
This commit is contained in:
Bram Matthys
2026-05-17 10:28:06 +02:00
parent 8b93339e42
commit b46c0f20ab
4 changed files with 54 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/config.h
+9 -4
View File
@@ -211,11 +211,16 @@
#define DOWNLOAD_MAX_REDIRECTS 2
/* Default maximum size (in bytes) for memory-backed HTTP responses
* (i.e. when OutgoingWebRequest.store_in_file == 0). Responses exceeding
* this are rejected and the transfer is aborted. Callers can override
* by setting OutgoingWebRequest.max_size before url_start_async().
* (store_in_file being 0). Responses exceeding this are rejected.
* API callers override this by setting .max_size before url_start_async().
*/
#define DOWNLOAD_MAX_SIZE 1048576
#define DOWNLOAD_MAX_SIZE_MEMORY_BACKED 1048576
/* Default maximum size (in bytes) for file-backed HTTP responses
* (store_in_file being 1). Responses exceeding this are rejected.
* API callers override this by setting .max_size before url_start_async().
*/
#define DOWNLOAD_MAX_SIZE_FILE_BACKED 52428800
/*
* Max time from the nickname change that still causes KILL
include/struct.h
+5 -2
View File
@@ -1982,8 +1982,11 @@ struct OutgoingWebRequest
int connect_timeout; /**< How many seconds to wait for the (TLS) connect to succeed */
int transfer_timeout; /**< How many seconds the total transfer may take (connect+reading everything) */
int minimum_tls_version;
long long max_size; /**< Max response size for memory-backed downloads, in bytes.
* 0 = use DOWNLOAD_MAX_SIZE. Ignored for file-backed. */
long long max_size; /**< Max response size, in bytes. 0 selects a default
* based on the download mode:
* DOWNLOAD_MAX_SIZE_MEMORY_BACKED (small, since it
* sits in RAM) or DOWNLOAD_MAX_SIZE_FILE_BACKED
* (larger). */
// If you are adding fields here:
// 1) update duplicate_outgoingwebrequest() in src/misc.c
// 2) and update free_outgoingwebrequest() there as well (if something needs to be freed)