TEST size limit

http.go

@@ -154,23 +154,37 @@ func (mu *MegaUploader) upload(w http.ResponseWriter, r *http.Request) {
 	if share.SizeLimit.Bytes() > 0 {
 		sizelimit = share.SizeLimit.Bytes()
 	}
-	err = r.ParseMultipartForm(int64(sizelimit))
+	mpreader, err := r.MultipartReader()
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		http.Error(w, "Bad request: error parsing form", http.StatusBadRequest)
 		return
 	}
-	file, header, err := r.FormFile("file")
+	part, err := mpreader.NextPart()
 	if err != nil {
-		http.Error(w, "No file uploaded", http.StatusBadRequest)
+		fmt.Fprintln(os.Stderr, err)
+		http.Error(w, "Bad request: error reading part from multipart form", http.StatusBadRequest)
+	}
+	fname, err := share.Upload(part, filepath.Base(part.FileName()))
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		http.Error(w, "Error uploading", http.StatusInternalServerError)
 		return
 	}
-	fname, err := share.Upload(file, filepath.Base(header.Filename))
+	finfo, err := os.Stat(fname)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		http.Error(w, "Error uploading", http.StatusInternalServerError)
 		return
 	}
+	if uint64(finfo.Size()) > sizelimit {
+		err = os.Remove(fname)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, "could not delete file exceeding size limit", err)
+		}
+		http.Error(w, "File size limit exceeded", http.StatusBadRequest)
+		return
+	}
 	fname = filepath.Base(fname)
 	u, err := mu.Conf.GetShareURL(sharename)
 	if err != nil {

http_test.go

@@ -320,6 +320,67 @@ shares:
 	}
 }
 
+func TestUploadTooBig(t *testing.T) {
+	size := 900*1024 + 1
+	defer filet.CleanUp(t)
+	d := filet.TmpDir(t, "")
+	conf := `
+shares:
+    - name: foo
+      dir: DIR
+      sizelimit: 900K
+      authorized: ["*"]
+      description: foo
+`
+	conf = strings.Replace(conf, "DIR", d, 1)
+	ts := getServer(conf)
+	cl := ts.Client()
+	bodyBuf := bytes.Buffer{}
+	bodyWriter := multipart.NewWriter(&bodyBuf)
+	fileWriter, err := bodyWriter.CreateFormFile("file", "foo.txt")
+	if err != nil {
+		t.Fatal("error creating form file", err)
+		return
+	}
+	// write 3MB made of 'a'
+	for i := 0; i < size; i++ {
+		_, err = fileWriter.Write([]byte(`a`))
+		if err != nil {
+			t.Fatal("error writing on form file", err)
+			return
+		}
+	}
+	contentType := bodyWriter.FormDataContentType()
+	bodyWriter.Close()
+	req := userRequest(ts.URL+"/api/upload/foo", "someone", t)
+	req.Method = "POST"
+	req.Header.Set("Content-Type", contentType)
+	req.ContentLength = int64(bodyBuf.Len())
+	req.Body = ioutil.NopCloser(&bodyBuf)
+	resp, err := cl.Do(req)
+	if err != nil {
+		t.Fatal("Error POSTing file", err)
+		return
+	}
+	defer resp.Body.Close()
+	_, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatal("Error reading server response", err)
+		return
+	}
+	if resp.StatusCode < 299 {
+		t.Error("Upload succeeded despite high size", resp.Status)
+	}
+	files, err := ioutil.ReadDir(d)
+	if err != nil {
+		t.Fatal("Error checking if upload dir is empty", err)
+	}
+	if len(files) != 0 {
+		t.Error("Upload dir not empty; should be refused!", len(files))
+		t.Log(files[0])
+	}
+}
+
 func TestSurfUpload(t *testing.T) {
 	if !*doHTTP {
 		return