main.c: Force valid cookie on check_lengthv0.2.1-rc2

Otherwise, a malicious user could send multipart/form-data requests without a valid cookie.
author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2024-02-20 00:17:40 +0100
committer: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2024-02-20 00:17:40 +0100
commit: b7f232366c03dad8afbbb8ed5ba44314e42b13fd (patch)
tree: 682b81b41570ac70033ef098e16fbf960e32a095
parent: 6c3bfa270b1de6cdea0da8e351f92ec65e90c4f0 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/main.c b/main.c
index fd47140..b88d77b 100644
--- a/main.c
+++ b/main.c
@@ -897,7 +897,16 @@ static int check_length(const unsigned long long len,
     bool has_quota;
     unsigned long long quota;
 
-    if (auth_quota(a, username, &has_quota, &quota))
+    if (auth_cookie(a, c))
+    {
+        fprintf(stderr, "%s: auth_cookie failed\n", __func__);
+
+        if (page_forbidden(r))
+            return -1;
+
+        return 1;
+    }
+    else if (auth_quota(a, username, &has_quota, &quota))
     {
         fprintf(stderr, "%s: auth_quota failed\n", __func__);
         return -1;
author	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2024-02-20 00:17:40 +0100
committer	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2024-02-20 00:17:40 +0100
commit	b7f232366c03dad8afbbb8ed5ba44314e42b13fd (patch)
tree	682b81b41570ac70033ef098e16fbf960e32a095
parent	6c3bfa270b1de6cdea0da8e351f92ec65e90c4f0 (diff)