From 45c2803f3e29b8b1042e6569b7d860498940eca0 Mon Sep 17 00:00:00 2001
From: Gunnar Beutner <gunnar.beutner@icinga.com>
Date: Wed, 28 Feb 2018 12:06:01 +0100
Subject: [PATCH] Fix incorrect HTTP content length limits

---
 doc/12-icinga2-api.md               |  8 +++---
 lib/remote/httpserverconnection.cpp | 40 +++++++++++++++++------------
 2 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/doc/12-icinga2-api.md b/doc/12-icinga2-api.md
index 6e515fb36..838fd86a4 100644
--- a/doc/12-icinga2-api.md
+++ b/doc/12-icinga2-api.md
@@ -237,12 +237,12 @@ Available permissions for specific URL endpoints:
   actions/&lt;action&gt;        | /v1/actions   | Yes               | 1
   config/query                  | /v1/config    | No                | 1
   config/modify                 | /v1/config    | No                | 512
-  console                       | /v1/console   | No                | 512
+  console                       | /v1/console   | No                | 1
   events/&lt;type&gt;           | /v1/events    | No                | 1
   objects/query/&lt;type&gt;    | /v1/objects   | Yes               | 1
-  objects/create/&lt;type&gt;   | /v1/objects   | No                | 512
-  objects/modify/&lt;type&gt;   | /v1/objects   | Yes               | 512
-  objects/delete/&lt;type&gt;   | /v1/objects   | Yes               | 512
+  objects/create/&lt;type&gt;   | /v1/objects   | No                | 1
+  objects/modify/&lt;type&gt;   | /v1/objects   | Yes               | 1
+  objects/delete/&lt;type&gt;   | /v1/objects   | Yes               | 1
   status/query                  | /v1/status    | Yes               | 1
   templates/&lt;type&gt;        | /v1/templates | Yes               | 1
   types                         | /v1/types     | Yes               | 1
diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp
index 122209f62..130f56681 100644
--- a/lib/remote/httpserverconnection.cpp
+++ b/lib/remote/httpserverconnection.cpp
@@ -188,16 +188,6 @@ bool HttpServerConnection::ProcessMessage()
 
 bool HttpServerConnection::ManageHeaders(HttpResponse& response)
 {
-	static const size_t defaultContentLengthLimit = 1 * 1024 * 1024;
-	static const Dictionary::Ptr specialContentLengthLimits = new Dictionary({
-		  {"*", 512 * 1024 * 1024},
-		  {"config/modify", 512 * 1024 * 1024},
-		  {"console", 512 * 1024 * 1024},
-		  {"objects/create", 512 * 1024 * 1024},
-		  {"objects/modify", 512 * 1024 * 1024},
-		  {"objects/delete", 512 * 1024 * 1024}
-	});
-
 	if (m_CurrentRequest.Headers->Get("expect") == "100-continue") {
 		String continueResponse = "HTTP/1.1 100 Continue\r\n\r\n";
 		m_Stream->Write(continueResponse.CStr(), continueResponse.GetLength());
@@ -288,16 +278,34 @@ bool HttpServerConnection::ManageHeaders(HttpResponse& response)
 		return false;
 	}
 
+	static const size_t defaultContentLengthLimit = 1 * 1024 * 1024;
 	size_t maxSize = defaultContentLengthLimit;
 
 	Array::Ptr permissions = m_AuthenticatedUser->GetPermissions();
-	ObjectLock olock(permissions);
 
-	for (const Value& permission : permissions) {
-		std::vector<String> permissionParts = String(permission).Split("/");
-		String permissionPath = permissionParts[0] + (permissionParts.size() > 1 ? "/" + permissionParts[1] : "");
-		int size = specialContentLengthLimits->Get(permissionPath);
-		maxSize = size > maxSize ? size : maxSize;
+	if (permissions) {
+		ObjectLock olock(permissions);
+
+		for (const Value& permissionInfo : permissions) {
+			String permission;
+
+			if (permissionInfo.IsObjectType<Dictionary>())
+				permission = static_cast<Dictionary::Ptr>(permissionInfo)->Get("permission");
+			else
+				permission = permissionInfo;
+
+			static std::vector<std::pair<String, size_t>> specialContentLengthLimits {
+				  { "config/modify", 512 * 1024 * 1024 }
+			};
+
+			for (const auto& limitInfo : specialContentLengthLimits) {
+				if (limitInfo.second <= maxSize)
+					continue;
+
+				if (Utility::Match(permission, limitInfo.first))
+					maxSize = limitInfo.second;
+			}
+		}
 	}
 
 	size_t contentLength = m_CurrentRequest.Headers->Get("content-length");
-- 
2.40.0