{-# LANGUAGE BangPatterns #-} {-# LANGUAGE CPP #-} {-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE ExistentialQuantification #-} {-# LANGUAGE FlexibleContexts #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE ScopedTypeVariables #-} module Snap.Internal.Util.FileUploads ( -- * Functions handleFormUploads , foldMultipart , PartFold , FormParam , FormFile (..) , storeAsLazyByteString , withTemporaryStore -- ** Backwards compatible API , handleFileUploads , handleMultipart , PartProcessor -- * Uploaded parts , PartInfo(..) , PartDisposition(..) , toPartDisposition -- ** Policy -- *** General upload policy , UploadPolicy(..) , defaultUploadPolicy , doProcessFormInputs , setProcessFormInputs , getMaximumFormInputSize , setMaximumFormInputSize , getMaximumNumberOfFormInputs , setMaximumNumberOfFormInputs , getMinimumUploadRate , setMinimumUploadRate , getMinimumUploadSeconds , setMinimumUploadSeconds , getUploadTimeout , setUploadTimeout -- *** File upload policy , FileUploadPolicy(..) , defaultFileUploadPolicy , setMaximumFileSize , setMaximumNumberOfFiles , setSkipFilesWithoutNames , setMaximumSkippedFileSize -- *** Per-file upload policy , PartUploadPolicy(..) , disallow , allowWithMaximumSize -- * Exceptions , FileUploadException(..) , fileUploadExceptionReason , BadPartException(..) , PolicyViolationException(..) ) where ------------------------------------------------------------------------------ import Control.Applicative (Alternative ((<|>)), Applicative (pure, (*>), (<*))) import Control.Arrow (Arrow (first)) import Control.Exception.Lifted (Exception, SomeException (..), bracket, catch, finally, fromException, mask, throwIO, toException) import qualified Control.Exception.Lifted as E (try) import Control.Monad (Functor (fmap), Monad (return, (>>=)), MonadPlus (mzero), forM_, guard, liftM, sequence, unless, void, when, (>=>)) import Control.Monad.IO.Class (liftIO) import Data.Attoparsec.ByteString.Char8 (Parser, isEndOfLine, string, takeWhile) import qualified Data.Attoparsec.ByteString.Char8 as Atto (try) import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as S import Data.ByteString.Internal (c2w) import qualified Data.ByteString.Lazy.Internal as LB (ByteString (Empty), chunk) import qualified Data.CaseInsensitive as CI (mk) import Data.Int (Int, Int64) import qualified Data.IORef as IORef import Data.List (find, map, (++)) import qualified Data.Map as Map (insertWith) import Data.Maybe (Maybe (..), fromMaybe, isJust, maybe) import Data.Text (Text) import qualified Data.Text as T (concat, pack, unpack) import qualified Data.Text.Encoding as TE (decodeUtf8) import Data.Typeable (Typeable, cast) import Prelude (Bool (..), Double, Either (..), Eq (..), FilePath, IO, Ord (..), Show (..), String, const, either, foldr, fst, id, max, not, otherwise, seq, snd, succ, ($), ($!), (.), (^), (||)) import Snap.Core (HasHeaders (headers), Headers, MonadSnap, Request (rqParams, rqPostParams), getHeader, getRequest, getTimeoutModifier, putRequest, runRequestBody) import Snap.Internal.Parsing (crlf, fullyParse, pContentTypeWithParameters, pHeaders, pValueWithParameters') import qualified Snap.Types.Headers as H (fromList) import System.Directory (removeFile) import System.FilePath (()) import System.IO (BufferMode (NoBuffering), Handle, hClose, hSetBuffering, openBinaryTempFile) import System.IO.Error (isDoesNotExistError) import System.IO.Streams (InputStream, MatchInfo (..), TooManyBytesReadException, search) import qualified System.IO.Streams as Streams import System.IO.Streams.Attoparsec (parseFromStream) import System.PosixCompat.Temp (mkstemp) ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -- | Reads uploaded files into a temporary directory and calls a user handler -- to process them. -- -- Note: /THE REQUEST MUST BE CORRECTLY ENCODED/. If the request's -- @Content-type@ is not \"@multipart/formdata@\", this function skips -- processing using 'pass'. -- -- Given a temporary directory, global and file-specific upload policies, and a -- user handler, this function consumes a request body uploaded with -- @Content-type: multipart/form-data@. Each file is read into the temporary -- directory, and is then passed to the user handler. After the user handler -- runs (but before the 'Response' body is streamed to the client), the files -- are deleted from disk; so if you want to retain or use the uploaded files in -- the generated response, you need to move or otherwise process them. -- -- The argument passed to the user handler is a tuple: -- -- > (PartInfo, Either PolicyViolationException FilePath) -- -- The first half of this tuple is a 'PartInfo', which contains the -- information the client browser sent about the given upload part (like -- filename, content-type, etc). The second half of this tuple is an 'Either' -- stipulating that either: -- -- 1. the file was rejected on a policy basis because of the provided -- 'PartUploadPolicy' handler -- -- 2. the file was accepted and exists at the given path. -- -- /Exceptions/ -- -- If the client's upload rate passes below the configured minimum (see -- 'setMinimumUploadRate' and 'setMinimumUploadSeconds'), this function -- terminates the connection. This setting is there to protect the server -- against slowloris-style denial of service attacks. -- -- If the given 'UploadPolicy' stipulates that you wish form inputs to be -- placed in the 'rqParams' parameter map (using 'setProcessFormInputs'), and -- a form input exceeds the maximum allowable size, this function will throw a -- 'PolicyViolationException'. -- -- If an uploaded part contains MIME headers longer than a fixed internal -- threshold (currently 32KB), this function will throw a 'BadPartException'. handleFileUploads :: (MonadSnap m) => FilePath -- ^ temporary directory -> UploadPolicy -- ^ general upload policy -> (PartInfo -> PartUploadPolicy) -- ^ per-part upload policy -> (PartInfo -> Either PolicyViolationException FilePath -> IO a) -- ^ user handler (see function -- description) -> m [a] handleFileUploads tmpdir uploadPolicy partPolicy partHandler = handleMultipart uploadPolicy go where go partInfo stream = maybe disallowed takeIt mbFs where ctText = partContentType partInfo fnText = fromMaybe "" $ partFileName partInfo ct = TE.decodeUtf8 ctText fn = TE.decodeUtf8 fnText (PartUploadPolicy mbFs) = partPolicy partInfo takeIt maxSize = do str' <- Streams.throwIfProducesMoreThan maxSize stream fileReader tmpdir partHandler partInfo str' `catch` tooMany maxSize tooMany maxSize (_ :: TooManyBytesReadException) = partHandler partInfo (Left $ PolicyViolationException $ T.concat [ "File \"" , fn , "\" exceeded maximum allowable size " , T.pack $ show maxSize ]) disallowed = partHandler partInfo (Left $ PolicyViolationException $ T.concat [ "Policy disallowed upload of file \"" , fn , "\" with content-type \"" , ct , "\"" ] ) ------------------------------------------------------------------------------ -- | Contents of form field of type @file@ data FormFile a = FormFile { formFileName :: !ByteString -- ^ Name of a field , formFileValue :: a -- ^ Result of storing file } deriving (Eq, Ord, Show) data UploadState a = UploadState { numUploadedFiles :: !Int , uploadedFiles :: !([FormFile a] -> [FormFile a]) } -- | Processes form data and calls provided storage function on -- file parts. -- -- You can use this together with 'withTemporaryStore', 'storeAsLazyByteString' -- or provide your own callback to store uploaded files. -- -- If you need to process uploaded file mime type or file name, do it in the -- store callback function. -- -- See also 'foldMultipart'. -- -- Example using with small files which can safely be stored in memory. -- -- @ -- -- import qualified Data.ByteString.Lazy as Lazy -- -- handleSmallFiles :: MonadSnap m => [(ByteString, ByteString, Lazy.ByteString)] -- handleSmallFiles = handleFormUploads uploadPolicy filePolicy store -- -- where -- uploadPolicy = defaultUploadPolicy -- filePolicy = setMaximumFileSize (64*1024) -- $ setMaximumNumberOfFiles 5 -- defaultUploadPolicy -- store partInfo stream = do -- content <- storeAsLazyByteString partInfo stream -- let -- fileName = partFileName partInfo -- fileMime = partContentType partInfo -- in (fileName, fileMime, content) -- @ -- handleFormUploads :: (MonadSnap m) => UploadPolicy -- ^ general upload policy -> FileUploadPolicy -- ^ Upload policy for files -> (PartInfo -> InputStream ByteString -> IO a) -- ^ A file storage function -> m ([FormParam], [FormFile a]) handleFormUploads uploadPolicy filePolicy partHandler = do (params, !st) <- foldMultipart uploadPolicy go (UploadState 0 id) return (params, uploadedFiles st []) where go !partInfo stream !st = do when (numUploads >= maxFiles) throwTooManyFiles case partFileName partInfo of Nothing -> onEmptyName Just _ -> takeIt where numUploads = numUploadedFiles st files = uploadedFiles st maxFiles = maxNumberOfFiles filePolicy maxFileSize = maxFileUploadSize filePolicy fnText = fromMaybe "" $ partFileName partInfo fn = TE.decodeUtf8 fnText takeIt = do str' <- Streams.throwIfProducesMoreThan maxFileSize stream r <- partHandler partInfo str' `catch` tooMany maxFileSize let f = FormFile (partFieldName partInfo) r return $! UploadState (succ numUploads) (files . ([f] ++) ) skipIt maxSize = do str' <- Streams.throwIfProducesMoreThan maxSize stream !_ <- Streams.skipToEof str' `catch` tooMany maxSize return $! UploadState (succ numUploads) files onEmptyName = if skipEmptyFileName filePolicy then skipIt (maxEmptyFileNameSize filePolicy) else takeIt throwTooManyFiles = throwIO . PolicyViolationException $ T.concat ["number of files exceeded the maximum of " ,T.pack (show maxFiles) ] tooMany maxSize (_ :: TooManyBytesReadException) = throwIO . PolicyViolationException $ T.concat [ "File \"" , fn , "\" exceeded maximum allowable size " , T.pack $ show maxSize ] ------------------------------------------------------------------------------ -- | A type alias for a function that will process one of the parts of a -- @multipart/form-data@ HTTP request body with accumulator. type PartFold a = PartInfo -> InputStream ByteString -> a -> IO a ------------------------------------------------------------------------------ -- | Given an upload policy and a function to consume uploaded \"parts\", -- consume a request body uploaded with @Content-type: multipart/form-data@. -- -- If 'setProcessFormInputs' is 'True', then parts with disposition @form-data@ -- (a form parameter) will be processed and returned as first element of -- resulting pair. Parts with other disposition will be fed to 'PartFold' -- handler. -- -- If 'setProcessFormInputs' is 'False', then parts with any disposition will -- be fed to 'PartFold' handler and first element of returned pair will be -- empty. In this case it is important that you limit number of form inputs -- and sizes of inputs in your 'PartFold' handler to avoid common DOS attacks. -- -- Note: /THE REQUEST MUST BE CORRECTLY ENCODED/. If the request's -- @Content-type@ is not \"@multipart/formdata@\", this function skips -- processing using 'pass'. -- -- Most users will opt for the higher-level 'handleFileUploads', which writes -- to temporary files, rather than 'handleMultipart'. This function should be -- chosen, however, if you need to stream uploaded files directly to your own -- processing function: e.g. to a database or a remote service via RPC. -- -- If the client's upload rate passes below the configured minimum (see -- 'setMinimumUploadRate' and 'setMinimumUploadSeconds'), this function -- terminates the connection. This setting is there to protect the server -- against slowloris-style denial of service attacks. -- -- /Exceptions/ -- -- If the given 'UploadPolicy' stipulates that you wish form inputs to be -- processed (using 'setProcessFormInputs'), and a form input exceeds the -- maximum allowable size or the form exceeds maximum number of inputs, this -- function will throw a 'PolicyViolationException'. -- -- If an uploaded part contains MIME headers longer than a fixed internal -- threshold (currently 32KB), this function will throw a 'BadPartException'. -- -- /Since: 1.0.3.0/ foldMultipart :: (MonadSnap m) => UploadPolicy -- ^ global upload policy -> PartFold a -- ^ part processor -> a -- ^ seed accumulator -> m ([FormParam], a) foldMultipart uploadPolicy origPartHandler zero = do hdrs <- liftM headers getRequest let (ct, mbBoundary) = getContentType hdrs tickleTimeout <- liftM (. max) getTimeoutModifier let bumpTimeout = tickleTimeout $ uploadTimeout uploadPolicy let partHandler = if doProcessFormInputs uploadPolicy then captureVariableOrReadFile (getMaximumFormInputSize uploadPolicy) origPartHandler else \x y acc -> liftM File $ origPartHandler x y acc -- not well-formed multipart? bomb out. guard (ct == "multipart/form-data") boundary <- maybe (throwIO $ BadPartException "got multipart/form-data without boundary") return mbBoundary -- RateTooSlowException will be caught and properly dealt with by -- runRequestBody runRequestBody (proc bumpTimeout boundary partHandler) where -------------------------------------------------------------------------- uploadRate = minimumUploadRate uploadPolicy uploadSecs = minimumUploadSeconds uploadPolicy maxFormVars = maximumNumberOfFormInputs uploadPolicy -------------------------------------------------------------------------- proc bumpTimeout boundary partHandler = Streams.throwIfTooSlow bumpTimeout uploadRate uploadSecs >=> internalFoldMultipart maxFormVars boundary partHandler zero ------------------------------------------------------------------------------ -- | A type alias for a function that will process one of the parts of a -- @multipart/form-data@ HTTP request body without usinc accumulator. type PartProcessor a = PartInfo -> InputStream ByteString -> IO a ------------------------------------------------------------------------------ -- | A variant of 'foldMultipart' accumulating results into a list. -- Also puts captured 'FormParam's into rqPostParams and rqParams maps. -- handleMultipart :: (MonadSnap m) => UploadPolicy -- ^ global upload policy -> PartProcessor a -- ^ part processor -> m [a] handleMultipart uploadPolicy origPartHandler = do (captures, files) <- foldMultipart uploadPolicy partFold id procCaptures captures return $! files [] where partFold info input acc = do x <- origPartHandler info input return $ acc . ([x]++) -------------------------------------------------------------------------- procCaptures [] = pure () procCaptures params = do rq <- getRequest putRequest $ modifyParams (\m -> foldr ins m params) rq -------------------------------------------------------------------------- ins (!k, !v) = Map.insertWith (\_ ex -> (v:ex)) k [v] -- prepend value if key exists, since we are folding from right -------------------------------------------------------------------------- modifyParams f r = r { rqPostParams = f $ rqPostParams r , rqParams = f $ rqParams r } ------------------------------------------------------------------------------ -- | Represents the disposition type specified via the @Content-Disposition@ -- header field. See . data PartDisposition = DispositionAttachment -- ^ @Content-Disposition: attachment@. | DispositionFile -- ^ @Content-Disposition: file@. | DispositionFormData -- ^ @Content-Disposition: form-data@. | DispositionOther ByteString -- ^ Any other value. deriving (Eq, Show) ------------------------------------------------------------------------------ -- | 'PartInfo' contains information about a \"part\" in a request uploaded -- with @Content-type: multipart/form-data@. data PartInfo = PartInfo { partFieldName :: !ByteString -- ^ Field name associated with this part (i.e., the name specified with -- @\ PartDisposition toPartDisposition s | s == "attachment" = DispositionAttachment | s == "file" = DispositionFile | s == "form-data" = DispositionFormData | otherwise = DispositionOther s ------------------------------------------------------------------------------ -- | All of the exceptions defined in this package inherit from -- 'FileUploadException', so if you write -- -- > foo `catch` \(e :: FileUploadException) -> ... -- -- you can catch a 'BadPartException', a 'PolicyViolationException', etc. data FileUploadException = forall e . (ExceptionWithReason e, Show e) => WrappedFileUploadException e deriving (Typeable) ------------------------------------------------------------------------------ class Exception e => ExceptionWithReason e where exceptionReason :: e -> Text ------------------------------------------------------------------------------ instance Show FileUploadException where show (WrappedFileUploadException e) = show e ------------------------------------------------------------------------------ instance Exception FileUploadException ------------------------------------------------------------------------------ -- | Human-readable error message corresponding to the 'FileUploadException'. fileUploadExceptionReason :: FileUploadException -> Text fileUploadExceptionReason (WrappedFileUploadException e) = exceptionReason e ------------------------------------------------------------------------------ uploadExceptionToException :: ExceptionWithReason e => e -> SomeException uploadExceptionToException = toException . WrappedFileUploadException ------------------------------------------------------------------------------ uploadExceptionFromException :: ExceptionWithReason e => SomeException -> Maybe e uploadExceptionFromException x = do WrappedFileUploadException e <- fromException x cast e ------------------------------------------------------------------------------ -- | Thrown when a part is invalid in some way (e.g. the headers are too large). data BadPartException = BadPartException { -- | Human-readable error message corresponding to the 'BadPartException'. badPartExceptionReason :: Text } deriving (Typeable) instance Exception BadPartException where toException = uploadExceptionToException fromException = uploadExceptionFromException instance ExceptionWithReason BadPartException where exceptionReason (BadPartException e) = T.concat ["Bad part: ", e] instance Show BadPartException where show = T.unpack . exceptionReason ------------------------------------------------------------------------------ -- | Thrown when an 'UploadPolicy' or 'PartUploadPolicy' is violated. data PolicyViolationException = PolicyViolationException { -- | Human-readable error message corresponding to the -- 'PolicyViolationException'. policyViolationExceptionReason :: Text } deriving (Typeable) instance Exception PolicyViolationException where toException e@(PolicyViolationException _) = uploadExceptionToException e fromException = uploadExceptionFromException instance ExceptionWithReason PolicyViolationException where exceptionReason (PolicyViolationException r) = T.concat ["File upload policy violation: ", r] instance Show PolicyViolationException where show (PolicyViolationException s) = "File upload policy violation: " ++ T.unpack s ------------------------------------------------------------------------------ -- | 'UploadPolicy' controls overall policy decisions relating to -- @multipart/form-data@ uploads, specifically: -- -- * whether to treat parts without filenames as form input (reading them into -- the 'rqParams' map) -- -- * because form input is read into memory, the maximum size of a form input -- read in this manner, and the maximum number of form inputs -- -- * the minimum upload rate a client must maintain before we kill the -- connection; if very low-bitrate uploads were allowed then a Snap server -- would be vulnerable to a trivial denial-of-service using a -- \"slowloris\"-type attack -- -- * the minimum number of seconds which must elapse before we start killing -- uploads for having too low an upload rate. -- -- * the amount of time we should wait before timing out the connection -- whenever we receive input from the client. data UploadPolicy = UploadPolicy { processFormInputs :: Bool , maximumFormInputSize :: Int64 , maximumNumberOfFormInputs :: Int , minimumUploadRate :: Double , minimumUploadSeconds :: Int , uploadTimeout :: Int } ------------------------------------------------------------------------------ -- | A reasonable set of defaults for upload policy. The default policy is: -- -- [@maximum form input size@] 128kB -- -- [@maximum number of form inputs@] 10 -- -- [@minimum upload rate@] 1kB/s -- -- [@seconds before rate limiting kicks in@] 10 -- -- [@inactivity timeout@] 20 seconds -- defaultUploadPolicy :: UploadPolicy defaultUploadPolicy = UploadPolicy True maxSize maxNum minRate minSeconds tout where maxSize = 2^(17::Int) maxNum = 10 minRate = 1000 minSeconds = 10 tout = 20 ------------------------------------------------------------------------------ -- | Does this upload policy stipulate that we want to treat parts without -- filenames as form input? doProcessFormInputs :: UploadPolicy -> Bool doProcessFormInputs = processFormInputs ------------------------------------------------------------------------------ -- | Set the upload policy for treating parts without filenames as form input. setProcessFormInputs :: Bool -> UploadPolicy -> UploadPolicy setProcessFormInputs b u = u { processFormInputs = b } ------------------------------------------------------------------------------ -- | Get the maximum size of a form input which will be read into our -- 'rqParams' map. getMaximumFormInputSize :: UploadPolicy -> Int64 getMaximumFormInputSize = maximumFormInputSize ------------------------------------------------------------------------------ -- | Set the maximum size of a form input which will be read into our -- 'rqParams' map. setMaximumFormInputSize :: Int64 -> UploadPolicy -> UploadPolicy setMaximumFormInputSize s u = u { maximumFormInputSize = s } ------------------------------------------------------------------------------ -- | Get the maximum size of a form input which will be read into our -- 'rqParams' map. getMaximumNumberOfFormInputs :: UploadPolicy -> Int getMaximumNumberOfFormInputs = maximumNumberOfFormInputs ------------------------------------------------------------------------------ -- | Set the maximum size of a form input which will be read into our -- 'rqParams' map. setMaximumNumberOfFormInputs :: Int -> UploadPolicy -> UploadPolicy setMaximumNumberOfFormInputs s u = u { maximumNumberOfFormInputs = s } ------------------------------------------------------------------------------ -- | Get the minimum rate (in /bytes\/second/) a client must maintain before -- we kill the connection. getMinimumUploadRate :: UploadPolicy -> Double getMinimumUploadRate = minimumUploadRate ------------------------------------------------------------------------------ -- | Set the minimum rate (in /bytes\/second/) a client must maintain before -- we kill the connection. setMinimumUploadRate :: Double -> UploadPolicy -> UploadPolicy setMinimumUploadRate s u = u { minimumUploadRate = s } ------------------------------------------------------------------------------ -- | Get the amount of time which must elapse before we begin enforcing the -- upload rate minimum getMinimumUploadSeconds :: UploadPolicy -> Int getMinimumUploadSeconds = minimumUploadSeconds ------------------------------------------------------------------------------ -- | Set the amount of time which must elapse before we begin enforcing the -- upload rate minimum setMinimumUploadSeconds :: Int -> UploadPolicy -> UploadPolicy setMinimumUploadSeconds s u = u { minimumUploadSeconds = s } ------------------------------------------------------------------------------ -- | Get the \"upload timeout\". Whenever input is received from the client, -- the connection timeout is set this many seconds in the future. getUploadTimeout :: UploadPolicy -> Int getUploadTimeout = uploadTimeout ------------------------------------------------------------------------------ -- | Set the upload timeout. setUploadTimeout :: Int -> UploadPolicy -> UploadPolicy setUploadTimeout s u = u { uploadTimeout = s } ------------------------------------------------------------------------------ -- | File upload policy, if any policy is violated then -- 'PolicyViolationException' is thrown data FileUploadPolicy = FileUploadPolicy { maxFileUploadSize :: !Int64 , maxNumberOfFiles :: !Int , skipEmptyFileName :: !Bool , maxEmptyFileNameSize :: !Int64 } -- | A default 'FileUploadPolicy' -- -- [@maximum file size@] 1MB -- -- [@maximum number of files@] 10 -- -- [@skip files without name@] yes -- -- [@maximum size of skipped file@] 0 -- -- defaultFileUploadPolicy :: FileUploadPolicy defaultFileUploadPolicy = FileUploadPolicy maxFileSize maxFiles skipEmptyName maxEmptySize where maxFileSize = 1048576 -- 1MB maxFiles = 10 skipEmptyName = True maxEmptySize = 0 -- | Maximum size of single uploaded file. setMaximumFileSize :: Int64 -> FileUploadPolicy -> FileUploadPolicy setMaximumFileSize maxSize s = s { maxFileUploadSize = maxSize } -- | Maximum number of uploaded files. setMaximumNumberOfFiles :: Int -> FileUploadPolicy -> FileUploadPolicy setMaximumNumberOfFiles maxFiles s = s { maxNumberOfFiles = maxFiles } -- | Skip files with empty file names. -- -- If set, parts without filenames will not be fed to storage function. -- -- HTML5 form data encoding standard states that form input fields of type -- file, without value set, are encoded same way as if file with empty body, -- empty file name, and type @application/octet-stream@ was set as value. -- -- You most likely want to use this with zero bytes allowed to avoid storing -- such fields (see 'setMaximumSkippedFileSize'). -- -- By default files without names are skipped. -- -- /Since: 1.0.3.0/ setSkipFilesWithoutNames :: Bool -> FileUploadPolicy -> FileUploadPolicy setSkipFilesWithoutNames shouldSkip s = s { skipEmptyFileName = shouldSkip } -- | Maximum size of file without name which can be skipped. -- -- Ignored if 'setSkipFilesWithoutNames' is @False@. -- -- If skipped file is larger than this setting then 'FileUploadException' -- is thrown. -- -- By default maximum file size is 0. -- -- /Since: 1.0.3.0/ setMaximumSkippedFileSize :: Int64 -> FileUploadPolicy -> FileUploadPolicy setMaximumSkippedFileSize maxSize s = s { maxEmptyFileNameSize = maxSize } ------------------------------------------------------------------------------ -- | Upload policy can be set on an \"general\" basis (using 'UploadPolicy'), -- but handlers can also make policy decisions on individual files\/parts -- uploaded. For each part uploaded, handlers can decide: -- -- * whether to allow the file upload at all -- -- * the maximum size of uploaded files, if allowed data PartUploadPolicy = PartUploadPolicy (Maybe Int64) ------------------------------------------------------------------------------ -- | Disallows the file to be uploaded. disallow :: PartUploadPolicy disallow = PartUploadPolicy Nothing ------------------------------------------------------------------------------ -- | Allows the file to be uploaded, with maximum size /n/. allowWithMaximumSize :: Int64 -> PartUploadPolicy allowWithMaximumSize = PartUploadPolicy . Just ------------------------------------------------------------------------------ -- | Stores file body in memory as Lazy ByteString. storeAsLazyByteString :: InputStream ByteString -> IO LB.ByteString storeAsLazyByteString !str = do f <- Streams.fold (\f c -> f . LB.chunk c) id str return $! f LB.Empty ------------------------------------------------------------------------------ -- | Store files in a temporary directory, and clean up on function exit. -- -- Files are safe to move until function exists. -- -- If asynchronous exception is thrown during cleanup, temporary files may -- remain. -- -- @ -- uploadsHandler = withTemporaryStore "/var/tmp" "upload-" $ \store -> do -- (inputs, files) <- handleFormUploads defaultUploadpolicy -- defaultFileUploadPolicy -- (const store) -- saveFiles files -- -- @ -- withTemporaryStore :: MonadSnap m => FilePath -- ^ temporary directory -> String -- ^ file name pattern -> ((InputStream ByteString -> IO FilePath) -> m a) -- ^ Action taking store function -> m a withTemporaryStore tempdir pat act = do ioref <- liftIO $ IORef.newIORef [] let modifyIORef' ref f = do -- ghc 7.4 does not have modifyIORef' x <- IORef.readIORef ref let x' = f x x' `seq` IORef.writeIORef ref x' go input = do (fn, h) <- openBinaryTempFile tempdir pat modifyIORef' ioref (fn:) hSetBuffering h NoBuffering output <- Streams.handleToOutputStream h Streams.connect input output hClose h pure fn cleanup = liftIO $ do files <- IORef.readIORef ioref forM_ files $ \fn -> removeFile fn `catch` handleExists handleExists e = unless (isDoesNotExistError e) $ throwIO e act go `finally` cleanup ------------------------------------------------------------------------------ -- private exports follow. FIXME: organize ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ captureVariableOrReadFile :: Int64 -- ^ maximum size of form input -> PartFold a -- ^ file reading code -> PartInfo -> InputStream ByteString -> a -> IO (Capture a) captureVariableOrReadFile maxSize fileHandler partInfo stream acc = if isFile then liftM File $ fileHandler partInfo stream acc else variable `catch` handler where isFile = isJust (partFileName partInfo) || partDisposition partInfo == DispositionFile variable = do !x <- liftM S.concat $ Streams.throwIfProducesMoreThan maxSize stream >>= Streams.toList return $! Capture fieldName x fieldName = partFieldName partInfo handler (_ :: TooManyBytesReadException) = throwIO $ PolicyViolationException $ T.concat [ "form input '" , TE.decodeUtf8 fieldName , "' exceeded maximum permissible size (" , T.pack $ show maxSize , " bytes)" ] ------------------------------------------------------------------------------ data Capture a = Capture !ByteString !ByteString | File a ------------------------------------------------------------------------------ fileReader :: FilePath -> (PartInfo -> Either PolicyViolationException FilePath -> IO a) -> PartProcessor a fileReader tmpdir partProc partInfo input = withTempFile tmpdir "snap-upload-" $ \(fn, h) -> do hSetBuffering h NoBuffering output <- Streams.handleToOutputStream h Streams.connect input output hClose h partProc partInfo $ Right fn ------------------------------------------------------------------------------ data MultipartState a = MultipartState { numFormVars :: {-# UNPACK #-} !Int , numFormFiles :: {-# UNPACK #-} !Int , capturedFields :: !([FormParam] -> [FormParam]) , accumulator :: !a } ------------------------------------------------------------------------------ -- | A form parameter name-value pair type FormParam = (ByteString, ByteString) ------------------------------------------------------------------------------ addCapture :: ByteString -> ByteString -> MultipartState a -> MultipartState a addCapture !k !v !ms = let !kv = (k,v) f = capturedFields ms . ([kv]++) !ms' = ms { capturedFields = f , numFormVars = succ (numFormVars ms) } in ms' ------------------------------------------------------------------------------ internalFoldMultipart :: Int -- ^ max num fields -> ByteString -- ^ boundary value -> (PartInfo -> InputStream ByteString -> a -> IO (Capture a)) -- ^ part processor -> a -> InputStream ByteString -> IO ([FormParam], a) internalFoldMultipart !maxFormVars !boundary clientHandler !zeroAcc !stream = go where -------------------------------------------------------------------------- initialState = MultipartState 0 0 id zeroAcc -------------------------------------------------------------------------- go = do -- swallow the first boundary _ <- parseFromStream (parseFirstBoundary boundary) stream bmstream <- search (fullBoundary boundary) stream ms <- foldParts goPart bmstream initialState return $ (capturedFields ms [], accumulator ms) -------------------------------------------------------------------------- pBoundary !b = Atto.try $ do _ <- string "--" string b -------------------------------------------------------------------------- fullBoundary !b = S.concat ["\r\n", "--", b] pLine = takeWhile (not . isEndOfLine . c2w) <* eol parseFirstBoundary !b = pBoundary b <|> (pLine *> parseFirstBoundary b) -------------------------------------------------------------------------- takeHeaders !str = hdrs `catch` handler where hdrs = do str' <- Streams.throwIfProducesMoreThan mAX_HDRS_SIZE str liftM toHeaders $ parseFromStream pHeadersWithSeparator str' handler (_ :: TooManyBytesReadException) = throwIO $ BadPartException "headers exceeded maximum size" -------------------------------------------------------------------------- goPart !str !state = do hdrs <- takeHeaders str -- are we using mixed? let (contentType, mboundary) = getContentType hdrs let (fieldName, fileName, disposition) = getFieldHeaderInfo hdrs if contentType == "multipart/mixed" then maybe (throwIO $ BadPartException $ "got multipart/mixed without boundary") (processMixed fieldName str state) mboundary else do let info = PartInfo fieldName fileName contentType disposition hdrs handlePart info str state -------------------------------------------------------------------------- handlePart !info !str !ms = do r <- clientHandler info str (accumulator ms) case r of Capture !k !v -> do when (maxFormVars <= numFormVars ms) throwTooMuchVars return $! addCapture k v ms File !newAcc -> return $! ms { accumulator = newAcc , numFormFiles = succ (numFormFiles ms) } throwTooMuchVars = throwIO . PolicyViolationException $ T.concat [ "number of form inputs exceeded maximum of " , T.pack $ show maxFormVars ] -------------------------------------------------------------------------- processMixed !fieldName !str !state !mixedBoundary = do -- swallow the first boundary _ <- parseFromStream (parseFirstBoundary mixedBoundary) str bm <- search (fullBoundary mixedBoundary) str foldParts (mixedStream fieldName) bm state -------------------------------------------------------------------------- mixedStream !fieldName !str !acc = do hdrs <- takeHeaders str let (contentType, _) = getContentType hdrs let (_, fileName, disposition) = getFieldHeaderInfo hdrs let info = PartInfo fieldName fileName contentType disposition hdrs handlePart info str acc ------------------------------------------------------------------------------ getContentType :: Headers -> (ByteString, Maybe ByteString) getContentType hdrs = (contentType, boundary) where contentTypeValue = fromMaybe "text/plain" $ getHeader "content-type" hdrs eCT = fullyParse contentTypeValue pContentTypeWithParameters (!contentType, !params) = either (const ("text/plain", [])) id eCT boundary = findParam "boundary" params ------------------------------------------------------------------------------ getFieldHeaderInfo :: Headers -> (ByteString, Maybe ByteString, PartDisposition) getFieldHeaderInfo hdrs = (fieldName, fileName, disposition) where contentDispositionValue = fromMaybe "unknown" $ getHeader "content-disposition" hdrs eDisposition = fullyParse contentDispositionValue $ pValueWithParameters' (const True) (!dispositionType, dispositionParameters) = either (const ("unknown", [])) id eDisposition disposition = toPartDisposition dispositionType fieldName = fromMaybe "" $ findParam "name" dispositionParameters fileName = findParam "filename" dispositionParameters ------------------------------------------------------------------------------ findParam :: (Eq a) => a -> [(a, b)] -> Maybe b findParam p = fmap snd . find ((== p) . fst) ------------------------------------------------------------------------------ partStream :: InputStream MatchInfo -> IO (InputStream ByteString) partStream st = Streams.makeInputStream go where go = do s <- Streams.read st return $! s >>= f f (NoMatch s) = return s f _ = mzero ------------------------------------------------------------------------------ -- | Assuming we've already identified the boundary value and split the input -- up into parts which match and parts which don't, run the given 'ByteString' -- InputStream over each part and grab a list of the resulting values. -- -- TODO/FIXME: fix description foldParts :: (InputStream ByteString -> MultipartState a -> IO (MultipartState a)) -> InputStream MatchInfo -> (MultipartState a) -> IO (MultipartState a) foldParts partFunc stream = go where part acc pStream = do isLast <- parseFromStream pBoundaryEnd pStream if isLast then return Nothing else do !x <- partFunc pStream acc Streams.skipToEof pStream return $! Just x go !acc = do cap <- partStream stream >>= part acc maybe (return acc) go cap pBoundaryEnd = (eol *> pure False) <|> (string "--" *> pure True) ------------------------------------------------------------------------------ eol :: Parser ByteString eol = (string "\n") <|> (string "\r\n") ------------------------------------------------------------------------------ pHeadersWithSeparator :: Parser [(ByteString,ByteString)] pHeadersWithSeparator = pHeaders <* crlf ------------------------------------------------------------------------------ toHeaders :: [(ByteString,ByteString)] -> Headers toHeaders kvps = H.fromList kvps' where kvps' = map (first CI.mk) kvps ------------------------------------------------------------------------------ mAX_HDRS_SIZE :: Int64 mAX_HDRS_SIZE = 32768 ------------------------------------------------------------------------------ withTempFile :: FilePath -> String -> ((FilePath, Handle) -> IO a) -> IO a withTempFile tmpl temp handler = mask $ \restore -> bracket make cleanup (restore . handler) where make = mkstemp $ tmpl (temp ++ "XXXXXXX") cleanup (fp,h) = sequence $ map gobble [hClose h, removeFile fp] t :: IO z -> IO (Either SomeException z) t = E.try gobble = void . t