From c8b6ad8abd3a9bd2491262fc9cb881b9b491969d Mon Sep 17 00:00:00 2001
From: Jonathan Buchanan <jonathan.russ.buchanan@gmail.com>
Date: Mon, 29 Jun 2020 15:30:11 -0400
Subject: filler max_upload values for all POST/PATCH handlers

---
 src/backend/taler-merchant-httpd.c | 59 +++++++++++++++++++++++++++++++-------
 1 file changed, 48 insertions(+), 11 deletions(-)

(limited to 'src/backend/taler-merchant-httpd.c')

diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c
index 488e45b9..b60eec4f 100644
--- a/src/backend/taler-merchant-httpd.c
+++ b/src/backend/taler-merchant-httpd.c
@@ -782,14 +782,24 @@ url_handler (void *cls,
     {
       .url_prefix = "/",
       .method = MHD_HTTP_METHOD_PATCH,
-      .handler = &TMH_private_patch_instances_ID
+      .handler = &TMH_private_patch_instances_ID,
+      /* allow instance data of up to 8 MB, that should be plenty;
+         note that exceeding #GNUNET_MAX_MALLOC_CHECKED (40 MB)
+         would require further changes to the allocation logic
+         in the code... */
+      .max_upload = 1024 * 1024 * 8
     },
     /* POST /instances: */
     {
       .url_prefix = "/instances",
       .method = MHD_HTTP_METHOD_POST,
       .skip_instance = true,
-      .handler = &TMH_private_post_instances
+      .handler = &TMH_private_post_instances,
+      /* allow instance data of up to 8 MB, that should be plenty;
+         note that exceeding #GNUNET_MAX_MALLOC_CHECKED (40 MB)
+         would require further changes to the allocation logic
+         in the code... */
+      .max_upload = 1024 * 1024 * 8
     },
     /* GET /products: */
     {
@@ -840,7 +850,10 @@ url_handler (void *cls,
       .url_suffix = "lock",
       .method = MHD_HTTP_METHOD_POST,
       .have_id_segment = true,
-      .handler = &TMH_private_post_products_ID_lock
+      .handler = &TMH_private_post_products_ID_lock,
+      /* the body should be pretty small, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* POST /orders: */
     {
@@ -872,7 +885,10 @@ url_handler (void *cls,
       .url_suffix = "refund",
       .method = MHD_HTTP_METHOD_POST,
       .have_id_segment = true,
-      .handler = &TMH_private_post_orders_ID_refund
+      .handler = &TMH_private_post_orders_ID_refund,
+      /* the body should be pretty small, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* DELETE /orders/$ID: */
     {
@@ -885,7 +901,10 @@ url_handler (void *cls,
     {
       .url_prefix = "/reserves",
       .method = MHD_HTTP_METHOD_POST,
-      .handler = &TMH_private_post_reserves
+      .handler = &TMH_private_post_reserves,
+      /* the body should be pretty small, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* DELETE /reserves/$ID: */
     {
@@ -900,13 +919,19 @@ url_handler (void *cls,
       .url_suffix = "authorize-tip",
       .have_id_segment = true,
       .method = MHD_HTTP_METHOD_POST,
-      .handler = &TMH_private_post_reserves_ID_authorize_tip
+      .handler = &TMH_private_post_reserves_ID_authorize_tip,
+      /* the body should be pretty small, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* POST /tips: */
     {
       .url_prefix = "/tips",
       .method = MHD_HTTP_METHOD_POST,
-      .handler = &TMH_private_post_tips
+      .handler = &TMH_private_post_tips,
+      /* the body should be pretty small, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* GET /tips: */
     {
@@ -938,7 +963,10 @@ url_handler (void *cls,
     {
       .url_prefix = "/transfers",
       .method = MHD_HTTP_METHOD_POST,
-      .handler = &TMH_private_post_transfers
+      .handler = &TMH_private_post_transfers,
+      /* the body should be pretty small, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* GET /transfers: */
     {
@@ -980,7 +1008,10 @@ url_handler (void *cls,
       .have_id_segment = true,
       .url_suffix = "abort",
       .method = MHD_HTTP_METHOD_POST,
-      .handler = &TMH_post_orders_ID_abort
+      .handler = &TMH_post_orders_ID_abort,
+      /* wallet may give us many coins to sign, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* POST /orders/$ID/claim: */
     {
@@ -988,7 +1019,10 @@ url_handler (void *cls,
       .have_id_segment = true,
       .url_suffix = "claim",
       .method = MHD_HTTP_METHOD_POST,
-      .handler = &TMH_post_orders_ID_claim
+      .handler = &TMH_post_orders_ID_claim,
+      /* the body should be pretty small, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* POST /orders/$ID/pay: */
     {
@@ -996,7 +1030,10 @@ url_handler (void *cls,
       .have_id_segment = true,
       .url_suffix = "pay",
       .method = MHD_HTTP_METHOD_POST,
-      .handler = &TMH_post_orders_ID_pay
+      .handler = &TMH_post_orders_ID_pay,
+      /* wallet may give us many coins to sign, allow 1 MB of upload
+         to set a conservative bound for sane wallets */
+      .max_upload = 1024 * 1024
     },
     /* GET /orders/$ID: */
     {
-- 
cgit v1.2.3