Added MaxMemory limit to CopyBody()

Beego only uses the MaxMemory flag when using go's built in functions for parsing forms. However the CopyBody() function have no limit an will coppy anny amount of data into memory using ioutil.ReedAll() on the request body whitout anny size validation or limit. This fix wrapps input.Requst.Body in a LimitedReader using the same memory limit as ParseFormOrMulitForm()
2024-11-22 13:40:55 +00:00 · 2015-12-16 10:37:21 +01:00 · 2015-12-16 10:37:21 +01:00 · 52c4c1fb98
commit 52c4c1fb98
parent 1576add9a2
2 changed files with 5 additions and 3 deletions
--- a/context/input.go
+++ b/context/input.go
@ -17,6 +17,7 @@ package context
 import (
 	"bytes"
 	"errors"
+	"io"
 	"io/ioutil"
 	"net/url"
 	"reflect"
@ -296,8 +297,9 @@ func (input *BeegoInput) Session(key interface{}) interface{} {
 }

 // CopyBody returns the raw request body data as bytes.
-func (input *BeegoInput) CopyBody() []byte {
-	requestbody, _ := ioutil.ReadAll(input.Context.Request.Body)
+func (input *BeegoInput) CopyBody(MaxMemory int64) []byte {
+	safe := &io.LimitedReader{R:input.Context.Request.Body, N:MaxMemory}
+	requestbody, _ := ioutil.ReadAll(safe)
 	input.Context.Request.Body.Close()
 	bf := bytes.NewBuffer(requestbody)
 	input.Context.Request.Body = ioutil.NopCloser(bf)
--- a/router.go
+++ b/router.go
@ -659,7 +659,7 @@ func (p *ControllerRegister) ServeHTTP(rw http.ResponseWriter, r *http.Request)

 	if r.Method != "GET" && r.Method != "HEAD" {
 		if BConfig.CopyRequestBody && !context.Input.IsUpload() {
-			context.Input.CopyBody()
+			context.Input.CopyBody(BConfig.MaxMemory)
 		}
 		context.Input.ParseFormOrMulitForm(BConfig.MaxMemory)
 	}