summaryrefslogtreecommitdiff
path: root/internal/transport
diff options
context:
space:
mode:
Diffstat (limited to 'internal/transport')
-rw-r--r--internal/transport/derefmedia.go22
-rw-r--r--internal/transport/transport.go4
2 files changed, 19 insertions, 7 deletions
diff --git a/internal/transport/derefmedia.go b/internal/transport/derefmedia.go
index 265a9e77e..873032f39 100644
--- a/internal/transport/derefmedia.go
+++ b/internal/transport/derefmedia.go
@@ -23,30 +23,42 @@ import (
"net/http"
"net/url"
+ "codeberg.org/gruf/go-bytesize"
+ "codeberg.org/gruf/go-iotools"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
)
-func (t *transport) DereferenceMedia(ctx context.Context, iri *url.URL) (io.ReadCloser, int64, error) {
+func (t *transport) DereferenceMedia(ctx context.Context, iri *url.URL, maxsz int64) (io.ReadCloser, error) {
// Build IRI just once
iriStr := iri.String()
// Prepare HTTP request to this media's IRI
req, err := http.NewRequestWithContext(ctx, "GET", iriStr, nil)
if err != nil {
- return nil, 0, err
+ return nil, err
}
req.Header.Add("Accept", "*/*") // we don't know what kind of media we're going to get here
// Perform the HTTP request
rsp, err := t.GET(req)
if err != nil {
- return nil, 0, err
+ return nil, err
}
// Check for an expected status code
if rsp.StatusCode != http.StatusOK {
- return nil, 0, gtserror.NewFromResponse(rsp)
+ return nil, gtserror.NewFromResponse(rsp)
}
- return rsp.Body, rsp.ContentLength, nil
+ // Check media within size limit.
+ if rsp.ContentLength > maxsz {
+ _ = rsp.Body.Close() // close early.
+ sz := bytesize.Size(maxsz) // nicer log format
+ return nil, gtserror.Newf("media body exceeds max size %s", sz)
+ }
+
+ // Update response body with maximum supported media size.
+ rsp.Body, _, _ = iotools.UpdateReadCloserLimit(rsp.Body, maxsz)
+
+ return rsp.Body, nil
}
diff --git a/internal/transport/transport.go b/internal/transport/transport.go
index 110c19b3d..2971ca603 100644
--- a/internal/transport/transport.go
+++ b/internal/transport/transport.go
@@ -67,8 +67,8 @@ type Transport interface {
// Dereference fetches the ActivityStreams object located at this IRI with a GET request.
Dereference(ctx context.Context, iri *url.URL) (*http.Response, error)
- // DereferenceMedia fetches the given media attachment IRI, returning the reader and filesize.
- DereferenceMedia(ctx context.Context, iri *url.URL) (io.ReadCloser, int64, error)
+ // DereferenceMedia fetches the given media attachment IRI, returning the reader limited to given max.
+ DereferenceMedia(ctx context.Context, iri *url.URL, maxsz int64) (io.ReadCloser, error)
// DereferenceInstance dereferences remote instance information, first by checking /api/v1/instance, and then by checking /.well-known/nodeinfo.
DereferenceInstance(ctx context.Context, iri *url.URL) (*gtsmodel.Instance, error)
generated by cgit v1.2.3 (git 2.46.0) at 2025-11-27 16:59:39 +0000