content-length-range policy should be honored for the uploaded object sizes. (#3076)

2025-11-08 05:04:55 -05:00 · 2016-10-25 12:17:03 +05:30
parent 3977d6b7bd
commit 35e541e0b1
8 changed files with 79 additions and 34 deletions
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@@ -17,6 +17,7 @@
 package cmd

 import (
+	"encoding/base64"
 	"encoding/xml"
 	"io"
 	"net/http"
@@ -450,11 +451,35 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
 		writeErrorResponse(w, r, apiErr, r.URL.Path)
 		return
 	}
-	if apiErr = checkPostPolicy(formValues); apiErr != ErrNone {
+
+	policyBytes, err := base64.StdEncoding.DecodeString(formValues["Policy"])
+	if err != nil {
+		writeErrorResponse(w, r, ErrMalformedPOSTRequest, r.URL.Path)
+		return
+	}
+
+	postPolicyForm, err := parsePostPolicyFormV4(string(policyBytes))
+	if err != nil {
+		writeErrorResponse(w, r, ErrMalformedPOSTRequest, r.URL.Path)
+		return
+	}
+
+	// Make sure formValues adhere to policy restrictions.
+	if apiErr = checkPostPolicy(formValues, postPolicyForm); apiErr != ErrNone {
 		writeErrorResponse(w, r, apiErr, r.URL.Path)
 		return
 	}

+	// Use limitReader to ensure that object size is within expected range.
+	lengthRange := postPolicyForm.Conditions.ContentLengthRange
+	if lengthRange.Valid {
+		// If policy restricted the size of the object.
+		fileBody = limitReader(fileBody, int64(lengthRange.Min), int64(lengthRange.Max))
+	} else {
+		// Default values of min/max size of the object.
+		fileBody = limitReader(fileBody, 0, maxObjectSize)
+	}
+
 	// Save metadata.
 	metadata := make(map[string]string)
 	// Nothing to store right now.