garrettmills/commafeed
1
0
Fork 0
forked from Archives/Athou_commafeed
Code Pull Requests Activity

Merge pull request #1909 from RazyAnas/master

Browse Source 
Fix off-by-one error in HttpGetter.toByteArray response size check
This commit is contained in:
Jérémie Panzer
2025-09-27 19:07:19 +02:00
committed by GitHub
parent d9e3cf0190 6d7273f822
commit 3b4cc66b24
1 changed files with 20 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
commafeed-server/src/main/java/com/commafeed/backend/HttpGetter.java
View File

@@ -242,7 +242,9 @@ public class HttpGetter {
return DateUtils.parseStandardDate(headerValue); return DateUtils.parseStandardDate(headerValue);
} }
// ByteStreams.limit(input, maxBytes) reads at most maxBytes bytes.
// If the content length is exactly maxBytes, it throws an exception, even though the response is valid.
// This is an off-by-one error.
private static byte[] toByteArray(HttpEntity entity, long maxBytes) throws IOException { private static byte[] toByteArray(HttpEntity entity, long maxBytes) throws IOException {
if (entity.getContentLength() > maxBytes) { if (entity.getContentLength() > maxBytes) {
throw new IOException( throw new IOException(
@@ -254,14 +256,15 @@ public class HttpGetter {
return null; return null;
} }
byte[] bytes = ByteStreams.limit(input, maxBytes).readAllBytes(); byte[] bytes = ByteStreams.limit(input, maxBytes + 1).readAllBytes(); // read one extra to detect overflow
if (bytes.length == maxBytes) { if (bytes.length > maxBytes) {
throw new IOException("Response size exceeds the maximum allowed size (%s bytes)".formatted(maxBytes)); throw new IOException("Response size exceeds the maximum allowed size (%s bytes)".formatted(maxBytes));
} }
return bytes; return bytes;
} }
} }
private PoolingHttpClientConnectionManager newConnectionManager(CommaFeedConfiguration config) { private PoolingHttpClientConnectionManager newConnectionManager(CommaFeedConfiguration config) {
SSLFactory sslFactory = SSLFactory.builder().withUnsafeTrustMaterial().withUnsafeHostnameVerifier().build(); SSLFactory sslFactory = SSLFactory.builder().withUnsafeTrustMaterial().withUnsafeHostnameVerifier().build();