Limits the size of uploaded files.

OneGov · Jun 1, 2015 · d549995 · d549995
1 parent 45842b5
commit d549995
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 2 deletions.
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -4,6 +4,9 @@ Changelog
 Unreleased
 ~~~~~~~~~~
 
+- Limits the size of uploaded files.
+  [href]
+
 - No longer stores the csrf_token with the form submission.
   [href]
 

diff --git a/onegov/form/parser/core.py b/onegov/form/parser/core.py
@@ -270,7 +270,7 @@
     time,
 )
 from onegov.form.utils import label_to_field_id
-from onegov.form.validators import Stdnum, ExpectedExtensions
+from onegov.form.validators import Stdnum, ExpectedExtensions, FileSizeLimit
 from wtforms import (
     FileField,
     PasswordField,
@@ -313,6 +313,18 @@
 ])
 
 
+# increasing the default filesize is *strongly discouarged*, as we are not
+# storing those files efficently yet -> they need to fit in memory
+#
+# if this value should be higher, we need to either:
+# * store the files outside the database
+# * store the files in a separate table where they are not read into memory
+#   as frequently as they are now
+#
+MEGABYTE = 1024 ** 2
+DEFAULT_UPLOAD_LIMIT = 5 * MEGABYTE
+
+
 class CustomLoader(yaml.SafeLoader):
     """ Extends the default yaml loader with customized constructors. """
 
@@ -501,7 +513,10 @@ def handle_block(builder, block, dependency=None):
             label=identifier.label,
             dependency=dependency,
             required=identifier.required,
-            validators=[ExpectedExtensions(field.extensions)]
+            validators=[
+                ExpectedExtensions(field.extensions),
+                FileSizeLimit(DEFAULT_UPLOAD_LIMIT)
+            ]
         )
     elif field.type == 'radio':
         choices = [(c.label, c.label) for c in field.choices]

diff --git a/onegov/form/validators.py b/onegov/form/validators.py
@@ -1,4 +1,5 @@
 import importlib
+import os
 
 from stdnum.exceptions import ValidationError as StdnumValidationError
 from wtforms import ValidationError
@@ -45,3 +46,17 @@ def __init__(self, extensions):
     def __call__(self, form, field):
         if not field.data.filename.endswith(self.extensions):
             raise ValidationError(field.gettext(u'Invalid input.'))
+
+
+class FileSizeLimit(object):
+    """ Makes sure an uploaded file is not bigger than the given number of
+    bytes.
+
+    """
+
+    def __init__(self, max_bytes):
+        self.max_bytes = max_bytes
+
+    def __call__(self, form, field):
+        if os.fstat(field.data.file.fileno()).st_size > self.max_bytes:
+            raise ValidationError(field.gettext(u'Invalid input.'))