search

tus / tusd

Reference server implementation in Go of tus: the open protocol for resumable file uploads
https://tus.github.io/tusd
MIT License
2.95k stars 467 forks source link

Deferred upload length can bypass upload size limit #1032

Open Acconut opened 7 months ago

Acconut commented 7 months ago

Describe the bug

Using Upload-Defer-Length: 1 a client can upload more data than specified in -max-size.

To Reproduce

  1. Start tusd: tusd -max-size 100
  2. Create upload:
~ $ curl -X POST http://localhost:8080/files/ -H 'Tus-Resumable: 1.0.0' -H 'Upload-Defer-Length: 1' -i
HTTP/1.1 201 Created
Location: http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574
Tus-Resumable: 1.0.0
X-Content-Type-Options: nosniff
Date: Mon, 20 Nov 2023 11:18:28 GMT
Content-Length: 0

~ $ curl -X PATCH http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574 -H 'Content-Type: application/offset+octet-stream' -H 'Tus-Resumable: 1.0.0' -H 'Upload-Offset: 0' -d "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

~ $ curl --head http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574 -H 'Tus-Resumable: 1.0.0'
HTTP/1.1 200 OK
Cache-Control: no-store
Tus-Resumable: 1.0.0
Upload-Defer-Length: 1
Upload-Offset: 200
X-Content-Type-Options: nosniff
Date: Mon, 20 Nov 2023 11:20:22 GMT

~ $ curl -X PATCH http://localhost:8080/files/4d1a061a6aa14c9f4b802640a1b31574 -H 'Content-Type: application/offset+octet-stream' -H 'Tus-Resumable: 1.0.0' -H 'Upload-Length: 200' -H 'Upload-Offset: 200'
ERR_INVALID_UPLOAD_LENGTH: missing or invalid Upload-Length header

Notice how the HEAD response has Upload-Length: 200 although the tusd server should only accept up to 100 bytes. Furthermore, the upload cannot be finished. The client cannot set the upload length in a subsequent PATCH request because the upload length would exceed -max-size.

Expected behavior

tusd should not store more data than specified in -max-size. Additional data should be rejected, similarly to how a PATCH request is handled, where the body contains more data than the upload allows for.

Setup details Please provide following details, if applicable to your situation:

Thanks to @fenos for reporting this.