https://fedorahosted.org/freeipa/ticket/5231
--
David Kupka
From f86f4f89d1083c1474d8c470ae3b0f85ed1eb6bb Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 26 Aug 2015 14:11:21 +0200
Subject: [PATCH] vault: Limit size of data stored in vault

https://fedorahosted.org/freeipa/ticket/5231
---
 ipalib/constants.py     |  2 ++
 ipalib/plugins/vault.py | 20 ++++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 53c3106cdd16fef0eba42a70518f7633b3fd95d1..5b83c7177987e95e101b2050aabfbc53d18e1b8d 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -239,3 +239,5 @@ SID_ANCHOR_PREFIX = ':SID:'
 
 MIN_DOMAIN_LEVEL = 0
 MAX_DOMAIN_LEVEL = 1
+
+MAX_VAULT_DATA_SIZE = 2**20 # = 1 MB
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 6b7d188f4c024cc6709faff33af942559ce4f8ec..4eb67438df0bb7ba3f22398d717b0be354edf893 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -47,7 +47,7 @@ from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib.plugins.service import normalize_principal
-from ipalib import _, ngettext
+from ipalib import _, ngettext, constants
 from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.nsslib import current_dbdir
@@ -1227,10 +1227,26 @@ class vault_archive(PKQuery, Local):
             raise errors.MutuallyExclusiveError(
                 reason=_('Input data specified multiple times'))
 
+        elif data:
+            if len(data) > constants.MAX_VAULT_DATA_SIZE:
+                raise errors.ValidationError(name="data", error=_("Size of data"
+                    " exceeds the limit. Current vault data size limit is"
+                    " %(limit)d B") % {'limit': constants.MAX_VAULT_DATA_SIZE})
+
         elif input_file:
+            try:
+                stat = os.stat(input_file)
+            except IOError as exc:
+                raise errors.ValidationError(name="in", error=_("Cannot read"
+                    " file '%(filename)s': %(exc)s") % {'filename': input_file,
+                    'exc': exc[1]})
+            if stat.st_size > constants.MAX_VAULT_DATA_SIZE:
+                raise errors.ValidationError(name="in", error=_("Size of data"
+                    " exceeds the limit. Current vault data size limit is"
+                    " %(limit)d B") % {'limit': constants.MAX_VAULT_DATA_SIZE})
             data = validated_read('in', input_file, mode='rb')
 
-        elif not data:
+        else:
             data = ''
 
         if self.api.env.in_server:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to