Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deferred upload length can bypass upload size limit #1032

Open
Acconut opened this issue Nov 20, 2023 · 0 comments
Open

Deferred upload length can bypass upload size limit #1032

Acconut opened this issue Nov 20, 2023 · 0 comments
Assignees
@Acconut
Labels
bug

Comments

@Acconut
Copy link
Member

Acconut commented Nov 20, 2023

Describe the bug

Using Upload-Defer-Length: 1 a client can upload more data than specified in -max-size.

To Reproduce

  1. Start tusd: tusd -max-size 100
  2. Create upload:
~ $ curl -X POST http://localhost:8080/files/ -H 'Tus-Resumable: 1.0.0' -H 'Upload-Defer-Length: 1' -i
HTTP/1.1 201 Created
Location: http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574
Tus-Resumable: 1.0.0
X-Content-Type-Options: nosniff
Date: Mon, 20 Nov 2023 11:18:28 GMT
Content-Length: 0

~ $ curl -X PATCH http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574 -H 'Content-Type: application/offset+octet-stream' -H 'Tus-Resumable: 1.0.0' -H 'Upload-Offset: 0' -d "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

~ $ curl --head http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574 -H 'Tus-Resumable: 1.0.0'
HTTP/1.1 200 OK
Cache-Control: no-store
Tus-Resumable: 1.0.0
Upload-Defer-Length: 1
Upload-Offset: 200
X-Content-Type-Options: nosniff
Date: Mon, 20 Nov 2023 11:20:22 GMT

~ $ curl -X PATCH http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574 -H 'Content-Type: application/offset+octet-stream' -H 'Tus-Resumable: 1.0.0' -H 'Upload-Length: 200' -H 'Upload-Offset: 200'
ERR_INVALID_UPLOAD_LENGTH: missing or invalid Upload-Length header

Notice how the HEAD response has Upload-Length: 200 although the tusd server should only accept up to 100 bytes. Furthermore, the upload cannot be finished. The client cannot set the upload length in a subsequent PATCH request because the upload length would exceed -max-size.

Expected behavior

tusd should not store more data than specified in -max-size. Additional data should be rejected, similarly to how a PATCH request is handled, where the body contains more data than the upload allows for.

Setup details
Please provide following details, if applicable to your situation:

  • Used tusd version: latest main branch
  • Used tusd data storage: disk
  • Used tusd configuration: -max-size 100

Thanks to @fenos for reporting this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Acconut Acconut

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Acconut