Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multipart_Message.Store_Attachments allows files to be uploaded on the server even is Upload_Directory is disabled (empty String) #376

Open
dsauvage opened this issue Apr 13, 2024 · 0 comments
Open

Multipart_Message.Store_Attachments allows files to be uploaded on the server even is Upload_Directory is disabled (empty String) #376

dsauvage opened this issue Apr 13, 2024 · 0 comments

Comments

@dsauvage
Copy link

dsauvage commented Apr 13, 2024
edited
Loading

Multipart_Message.Store_Attachments allows files to be uploaded on the server even is Upload_Directory is disabled (empty String)

To fix this issue we applied the same verification and error management as Multipart_Message.File_Upload (patch attached).

--- aws-server-http_utils.adb.orig	2024-04-13 11:49:53.691588811 +0400
+++ aws-server-http_utils.adb	2024-04-13 11:50:55.539068778 +0400
@@ -857,6 +857,11 @@
       begin
          begin
             if Mode in Attachment .. File_Upload then
+               if CNF.Upload_Directory (Server_Config) = "" then
+                  raise Constraint_Error
+                    with "File upload not supported by server "
+                      & CNF.Server_Name (Server_Config);
+               end if;
                Streams.Stream_IO.Create
                  (File, Streams.Stream_IO.Out_File, Server_Filename);
             end if;

Reproducer file command.sh attached, request payload below;

POST / HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.74.0
Accept: */*
Content-Length: 500
Content-Type: multipart/related; boundary=------------------------e3b8d4247741cbe4

--------------------------e3b8d4247741cbe4
Content-Disposition: attachment; name="file";filename="threat"
Content-Type: application/octet-stream
Content-Id: dude

THREAT AGENT

--------------------------e3b8d4247741cbe4--

In this case, as the Content-Length is bigger than the actual payload, the web server is waiting and the temporary uploaded file is not yet deleted. A simple ls command executed in the directory where the web server has been launched will show the temporary file.

$ ls
27495-1

Another way to assess the temporary uploaded file is by using the inotifywait command executed in the directory where the web server has been launched

$ inotifywait -m .
./ CREATE 27495-1
./ OPEN 27495-1
./ MODIFY 27495-1
./ CLOSE_WRITE,CLOSE 27495-1

aws-server-http_utils.adb.changes.patch.txt

command.sh.txt
dsauvage added a commit to AdaLabs/aws that referenced this issue Apr 13, 2024
@dsauvage
AdaCore#376, Multipart_Message.Store_Attachments allows files to be u…
d0a4d4a 
…ploaded on the server even is Upload_Directory is disabled (empty String)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dsauvage