Fix: Use a default maxSecretSize and limit the payload read

Luzifer / ots

One-Time-Secret sharing platform with a symmetric 256bit AES encryption in the browser

https://ots.fyi

Apache License 2.0

463 stars 68 forks source link

Fix: Use a default maxSecretSize and limit the payload read #144

Closed Luzifer closed 1 year ago

Luzifer commented 1 year ago

@sorcix PTAL

sorcix commented 1 year ago

Looks good to me! Thanks for changing this.

Slightly related: I was looking into what PostForm did. Looks like they default to a 10MB limit unless you replace the req.Body with a maxBytesReader. So it was safe until b51293fe3da55e574d24bfaa0090c584d697acfa when JSON was added as an alternative for r.FormValue("secret").