Multipart_Message.Store_Attachments allows files to be uploaded on the server even is Upload_Directory is disabled (empty String) #376
Description
Multipart_Message.Store_Attachments allows files to be uploaded on the server even is Upload_Directory is disabled (empty String)
To fix this issue we applied the same verification and error management as Multipart_Message.File_Upload (patch attached).
--- aws-server-http_utils.adb.orig 2024-04-13 11:49:53.691588811 +0400
+++ aws-server-http_utils.adb 2024-04-13 11:50:55.539068778 +0400
@@ -857,6 +857,11 @@
begin
begin
if Mode in Attachment .. File_Upload then
+ if CNF.Upload_Directory (Server_Config) = "" then
+ raise Constraint_Error
+ with "File upload not supported by server "
+ & CNF.Server_Name (Server_Config);
+ end if;
Streams.Stream_IO.Create
(File, Streams.Stream_IO.Out_File, Server_Filename);
end if;
Reproducer file command.sh attached, request payload below;
POST / HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.74.0
Accept: */*
Content-Length: 500
Content-Type: multipart/related; boundary=------------------------e3b8d4247741cbe4
--------------------------e3b8d4247741cbe4
Content-Disposition: attachment; name="file";filename="threat"
Content-Type: application/octet-stream
Content-Id: dude
THREAT AGENT
--------------------------e3b8d4247741cbe4--
In this case, as the Content-Length is bigger than the actual payload, the web server is waiting and the temporary uploaded file is not yet deleted. A simple ls command executed in the directory where the web server has been launched will show the temporary file.
$ ls
27495-1
Another way to assess the temporary uploaded file is by using the inotifywait command executed in the directory where the web server has been launched
$ inotifywait -m .
./ CREATE 27495-1
./ OPEN 27495-1
./ MODIFY 27495-1
./ CLOSE_WRITE,CLOSE 27495-1