From 43ff83d26b8907ff8d1d4825b317ed2ad21acc52 Mon Sep 17 00:00:00 2001
From: Garret Alfert <garret@5apps.com>
Date: Fri, 4 Mar 2016 19:33:00 +0100
Subject: [PATCH] Don't allow PUTS with Content-Range header

---
 lib/remote_storage/swift.rb | 1 +
 spec/swift/app_spec.rb      | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/lib/remote_storage/swift.rb b/lib/remote_storage/swift.rb
index 6a88013..6427200 100644
--- a/lib/remote_storage/swift.rb
+++ b/lib/remote_storage/swift.rb
@@ -130,6 +130,7 @@ module RemoteStorage
     end
 
     def put_data(user, directory, key, data, content_type)
+      server.halt 400 if server.env["HTTP_CONTENT_RANGE"]
       server.halt 409 if has_name_collision?(user, directory, key)
 
       existing_metadata = redis.hgetall "rs:m:#{user}:#{directory}/#{key}"
diff --git a/spec/swift/app_spec.rb b/spec/swift/app_spec.rb
index 1f244f7..e29b629 100644
--- a/spec/swift/app_spec.rb
+++ b/spec/swift/app_spec.rb
@@ -129,6 +129,14 @@ describe "App" do
           metadata = redis.hgetall "rs:m:phil:food/aguacate/empanado"
           metadata.must_be_empty
         end
+
+        it "returns 400 when a Content-Range header is sent" do
+          header "Content-Range", "bytes 0-3/3"
+
+          put "/phil/food/aguacate", "si"
+
+          last_response.status.must_equal 400
+        end
       end
     end
   end