main.c: Force valid cookie on check_length

Otherwise, a malicious user could send multipart/form-data requests without a valid cookie.
2024-02-20 00:17:40 +01:00 · 2024-02-20 00:17:40 +01:00 · b7f232366c
parent 6c3bfa270b
commit b7f232366c
1 changed files with 10 additions and 1 deletions
--- a/main.c
+++ b/main.c
@ -897,7 +897,16 @@ static int check_length(const unsigned long long len,
    bool has_quota;
    unsigned long long quota;

-    if (auth_quota(a, username, &has_quota, &quota))
+    if (auth_cookie(a, c))
+    {
+        fprintf(stderr, "%s: auth_cookie failed\n", __func__);
+
+        if (page_forbidden(r))
+            return -1;
+
+        return 1;
+    }
+    else if (auth_quota(a, username, &has_quota, &quota))
    {
        fprintf(stderr, "%s: auth_quota failed\n", __func__);
        return -1;