From 70592bfcd043fbcbff15207019103cc6c3a8c26e Mon Sep 17 00:00:00 2001
From: Vegard Berg <mail@myrkvi.com>
Date: Wed, 13 Sep 2023 17:12:03 +0200
Subject: [PATCH] ensure uploaded content is utf8 and not larger than 1 MiB

---
 controllers/new.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/controllers/new.go b/controllers/new.go
index 406aa31..ccdd1c9 100644
--- a/controllers/new.go
+++ b/controllers/new.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"mime/multipart"
 	"net/http"
+	"unicode/utf8"
 
 	"git.myrkvi.com/myrkvi/bin/global"
 	"git.myrkvi.com/myrkvi/bin/models"
@@ -40,6 +41,11 @@ func PostNewHandler(c echo.Context) error {
 	}
 
 	if file != nil {
+		// Don't bother trying to convert the contents into a string if it is too large.
+		if file.Size > 1024*1024 {
+			return utils.RenderErrorToast(c, "file cannot be larger than 1 MiB")
+		}
+
 		text, err = getTextFromFile(file)
 		if name == "" {
 			name = file.Filename
@@ -48,6 +54,14 @@ func PostNewHandler(c echo.Context) error {
 			return utils.RenderErrorToast(c, "server-side error occurred")
 		}
 	}
+	if len([]byte(text)) > 1024*1024 {
+		return utils.RenderErrorToast(c, "file cannot be larger than 1 MiB")
+	}
+
+	if !utf8.ValidString(text) {
+		return utils.RenderErrorToast(c, "submitted content must be utf8")
+	}
+
 	// Determine language from file extension if not set.
 	if lang == "" && name != "" {
 		lexer := lexers.Match(name)