From 28a234e457903fb43a8c6bdcdf08bb08dee97151 Mon Sep 17 00:00:00 2001 From: Dan Stillman Date: Fri, 24 Mar 2017 02:46:10 -0400 Subject: [PATCH] Include 'content-length-range' in S3 signature --- model/Storage.inc.php | 1 + tests/remote/tests/API/3/FileTest.php | 57 ++++++++++++++++++++++++++- 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/model/Storage.inc.php b/model/Storage.inc.php index 6e26f51c..d71c7284 100644 --- a/model/Storage.inc.php +++ b/model/Storage.inc.php @@ -704,6 +704,7 @@ public static function generateUploadPOSTParams($item, Zotero_StorageFileInfo $i ['key' => $info->hash], ['acl' => 'private'], ['Content-MD5' => $contentMD5], + ['content-length-range', $info->size, $info->size], ['success_action_status' => $successStatus], ['x-amz-credential' => $credentials], ['x-amz-algorithm' => $algorithm], diff --git a/tests/remote/tests/API/3/FileTest.php b/tests/remote/tests/API/3/FileTest.php index 017c105b..56a60220 100644 --- a/tests/remote/tests/API/3/FileTest.php +++ b/tests/remote/tests/API/3/FileTest.php @@ -213,7 +213,7 @@ public function testAddFileFormDataFull() { // Upload wrong contents to S3 $response = HTTP::post( $json->url, - $json->prefix . $fileContents . "INVALID" . $json->suffix, + $json->prefix . strrev($fileContents) . $json->suffix, [ "Content-Type: " . $json->contentType ] @@ -1672,6 +1672,61 @@ public function testAddFileClientV5Zip() { } + public function testClientV5ShouldRejectFileSizeMismatch() { + API::userClear(self::$config['userID']); + + $file = "work/file"; + $fileContents = self::getRandomUnicodeString(); + $contentType = "text/plain"; + $charset = "utf-8"; + file_put_contents($file, $fileContents); + $hash = md5_file($file); + $filename = "test_" . $fileContents; + $mtime = filemtime($file) * 1000; + $size = 0; + + $json = API::createAttachmentItem("imported_file", [ + 'contentType' => $contentType, + 'charset' => $charset + ], false, $this, 'jsonData'); + $key = $json['key']; + $originalVersion = $json['version']; + + // Get authorization + $response = API::userPost( + self::$config['userID'], + "items/$key/file", + $this->implodeParams([ + "md5" => $hash, + "mtime" => $mtime, + "filename" => $filename, + "filesize" => $size + ]), + [ + "Content-Type: application/x-www-form-urlencoded", + "If-None-Match: *" + ] + ); + $this->assert200($response); + $json = API::getJSONFromResponse($response); + + self::$toDelete[] = "$hash"; + + // Try to upload to S3, which should fail + $response = HTTP::post( + $json['url'], + $json['prefix'] . $fileContents . $json['suffix'], + [ + "Content-Type: {$json['contentType']}" + ] + ); + $this->assert400($response); + $this->assertContains( + "Your proposed upload exceeds the maximum allowed size", $response->getBody() + ); + } + + public function testClientV5ShouldReturn404GettingAuthorizationForMissingFile() { // Get authorization $response = API::userPost(