Don't allow PUTS with Content-Range header

2016-03-04 19:33:00 +01:00 · 2016-03-04 19:33:00 +01:00 · 43ff83d26b
commit 43ff83d26b
parent fd3293025d
2 changed files with 9 additions and 0 deletions
--- a/lib/remote_storage/swift.rb
+++ b/lib/remote_storage/swift.rb
@ -130,6 +130,7 @@ module RemoteStorage
    end

    def put_data(user, directory, key, data, content_type)
+      server.halt 400 if server.env["HTTP_CONTENT_RANGE"]
      server.halt 409 if has_name_collision?(user, directory, key)

      existing_metadata = redis.hgetall "rs:m:#{user}:#{directory}/#{key}"
--- a/spec/swift/app_spec.rb
+++ b/spec/swift/app_spec.rb
@ -129,6 +129,14 @@ describe "App" do
          metadata = redis.hgetall "rs:m:phil:food/aguacate/empanado"
          metadata.must_be_empty
        end
+
+        it "returns 400 when a Content-Range header is sent" do
+          header "Content-Range", "bytes 0-3/3"
+
+          put "/phil/food/aguacate", "si"
+
+          last_response.status.must_equal 400
+        end
      end
    end
  end