From 2fd5725c9f7bb16e0509d81a123e8121d012c8cd Mon Sep 17 00:00:00 2001 From: Doug Lauder Date: Tue, 21 May 2024 14:46:48 -0500 Subject: [PATCH] when receiving file attachments for shared channels, ensure attachments are enabled and file size does not exceed maximum configured for receiving server. (#27018) --- .../platform/services/sharedchannel/attachment.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/server/platform/services/sharedchannel/attachment.go b/server/platform/services/sharedchannel/attachment.go index 0e1ff7522e..7102e942f3 100644 --- a/server/platform/services/sharedchannel/attachment.go +++ b/server/platform/services/sharedchannel/attachment.go @@ -8,6 +8,7 @@ import ( "encoding/json" "errors" "fmt" + "net/http" "sync" "github.com/mattermost/mattermost/server/public/model" @@ -172,6 +173,20 @@ func (scs *Service) onReceiveUploadCreate(msg model.RemoteClusterMsg, rc *model. return fmt.Errorf("could not validate upload session for remote: %w", err) } + // make sure file attachments are enabled + if scs.server.Config().FileSettings.EnableFileAttachments == nil || !*scs.server.Config().FileSettings.EnableFileAttachments { + return model.NewAppError("ReceiveUploadCreate", + "api.file.attachments.disabled.app_error", + nil, "", http.StatusNotImplemented) + } + + // make sure the file size requested does not exceed local server config - MM server's regular + // upload code will ensure the actual bytes sent are within the upload session limit. + if scs.server.Config().FileSettings.MaxFileSize == nil || us.FileSize > *scs.server.Config().FileSettings.MaxFileSize { + return model.NewAppError("createUpload", "api.upload.create.upload_too_large.app_error", + map[string]any{"channelId": us.ChannelId}, "", http.StatusRequestEntityTooLarge) + } + us.RemoteId = rc.RemoteId // don't let remotes try to impersonate each other // create upload session.