From 1327a6614a7f019e2d9d8b9cd6a813c95dc352ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 5 Feb 2024 21:43:47 +0100 Subject: [PATCH] Not increasing MaxRequestBodySize beyond its preconfigured size --- .../Filters/MediaStorageQuotaActionFilter.cs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Lombiq.Hosting.Tenants.MediaStorageManagement/Filters/MediaStorageQuotaActionFilter.cs b/Lombiq.Hosting.Tenants.MediaStorageManagement/Filters/MediaStorageQuotaActionFilter.cs index 42cf1781..8b465a0d 100644 --- a/Lombiq.Hosting.Tenants.MediaStorageManagement/Filters/MediaStorageQuotaActionFilter.cs +++ b/Lombiq.Hosting.Tenants.MediaStorageManagement/Filters/MediaStorageQuotaActionFilter.cs @@ -26,7 +26,13 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context) context.HttpContext.Features.Set(new FormFeature(context.HttpContext.Request, formOptions)); var maxRequestBodySizeFeature = context.HttpContext.Features.Get(); - if (maxRequestBodySizeFeature is { IsReadOnly: false }) + // Only setting MaxRequestBodySize if it wouldn't go over the preconfigured size. This is necessary because + // larger requests would pose a security issue (since the original limit was configured for a reason), and under + // IIS it wouldn't work with the following message anyway: "Increasing the MaxRequestBodySize conflicts with the + // max value for IIS limit maxAllowedContentLength. HTTP requests that have a content length greater than + // maxAllowedContentLength will still be rejected by IIS. You can disable the limit by either removing or + // setting the maxAllowedContentLength value to a higher limit." + if (maxRequestBodySizeFeature is { IsReadOnly: false } && maxRequestBodySizeFeature.MaxRequestBodySize > maxFileSize) { maxRequestBodySizeFeature.MaxRequestBodySize = maxFileSize; }