Check quota before recv body (#773)

* Check quota before recv body * Check max upload file size before recv body --------- Co-authored-by: Heran Yang <heran.yang@seafile.com>
2025-09-22 03:28:48 +00:00 · 2025-09-12 17:48:43 +08:00
parent 6a7c1df693
commit a1ba8d7db7
4 changed files with 93 additions and 10 deletions
--- a/server/upload-file.c
+++ b/server/upload-file.c
@@ -224,7 +224,6 @@ check_tmp_file_list (GList *tmp_files, int *error_code)
    char *tmp_file;
    SeafStat st;
    gint64 total_size = 0;
-    gint64 max_upload_size;

    for (ptr = tmp_files; ptr; ptr = ptr->next) {
        tmp_file = ptr->data;
@@ -237,15 +236,8 @@ check_tmp_file_list (GList *tmp_files, int *error_code)

        total_size += (gint64)st.st_size;
    }
-    /* default is MB */
-    max_upload_size = seaf_cfg_manager_get_config_int64 (seaf->cfg_mgr, "fileserver",
-                                                         "max_upload_size");
-    if (max_upload_size > 0)
-        max_upload_size = max_upload_size * 1000000;
-    else
-        max_upload_size = -1;
    
-    if (max_upload_size > 0 && total_size > max_upload_size) {
+    if (seaf->max_upload_size > 0 && total_size > seaf->max_upload_size) {
        seaf_debug ("[upload] File size is too large.\n");
        *error_code = ERROR_SIZE;
        return FALSE;
@@ -2554,8 +2546,9 @@ upload_headers_cb (evhtp_request_t *req, evhtp_headers_t *hdr, void *arg)
    RecvFSM *fsm = NULL;
    Progress *progress = NULL;
    int error_code = EVHTP_RES_BADREQ;
+    htp_method method = evhtp_request_get_method(req);

-    if (evhtp_request_get_method(req) == htp_method_OPTIONS) {
+    if (method == htp_method_OPTIONS) {
         return EVHTP_RES_OK;
    }

@@ -2579,6 +2572,25 @@ upload_headers_cb (evhtp_request_t *req, evhtp_headers_t *hdr, void *arg)
        goto err;
    }

+    if (method == htp_method_POST || method == htp_method_PUT) {
+        gint64 content_len = get_content_length (req);
+        // Check whether the file to be uploaded would exceed the quota before receiving the body, in order to avoid unnecessarily receiving the body.
+        // After receiving the body, the quota is checked again to handle cases where the Content-Length in the request header is missing, which could make the initial quota check inaccurate.
+        if (seaf_quota_manager_check_quota_with_delta (seaf->quota_mgr,
+                                                       repo_id,
+                                                       content_len) != 0) {
+            error_code = SEAF_HTTP_RES_NOQUOTA;
+            err_msg = "Out of quota.\n";
+            goto err;
+        }
+
+        if (seaf->max_upload_size > 0 && content_len > seaf->max_upload_size) {
+            error_code = ERROR_SIZE;
+            err_msg = "File size is too large.\n";
+            goto err;
+        }
+    }
+
    boundary = get_boundary (hdr);
    if (!boundary) {
        err_msg = "Wrong boundary in url";