Merge pull request #1486 from KilledKenny/oomDos

Added MaxMemory limit to CopyBody() Supersedes #1484

Merge pull request #1486 from KilledKenny/oomDos
Added MaxMemory limit to CopyBody() Supersedes #1484
2aa50c24 · astaxie · dbc4ac69 · 52c4c1fb · 2aa50c24 · 2aa50c24
Commit 2aa50c24 authored Dec 16, 2015 by astaxie
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

input.go context/input.go +4 -2

router.go router.go +1 -1

No files found.
--- a/context/input.go
+++ b/context/input.go
@@ -17,6 +17,7 @@ package context
 import (
 	"bytes"
 	"errors"
+	"io"
 	"io/ioutil"
 	"net/url"
 	"reflect"
@@ -313,8 +314,9 @@ func (input *BeegoInput) Session(key interface{}) interface{} {
 }
 // CopyBody returns the raw request body data as bytes.
-func (input *BeegoInput) CopyBody() []byte {
+func (input *BeegoInput) CopyBody(MaxMemory int64) []byte {
-	requestbody, _ := ioutil.ReadAll(input.Context.Request.Body)
+	safe := &io.LimitedReader{R:input.Context.Request.Body, N:MaxMemory}
+	requestbody, _ := ioutil.ReadAll(safe)
 	input.Context.Request.Body.Close()
 	bf := bytes.NewBuffer(requestbody)
 	input.Context.Request.Body = ioutil.NopCloser(bf)

--- a/router.go
+++ b/router.go
@@ -653,7 +653,7 @@ func (p *ControllerRegister) ServeHTTP(rw http.ResponseWriter, r *http.Request)
 	if r.Method != "GET" && r.Method != "HEAD" {
 		if BConfig.CopyRequestBody && !context.Input.IsUpload() {
-			context.Input.CopyBody()
+			context.Input.CopyBody(BConfig.MaxMemory)
 		}
 		context.Input.ParseFormOrMulitForm(BConfig.MaxMemory)
 	}