diff options
Diffstat (limited to 'src/main/java/org/traccar/api/resource')
| -rw-r--r-- | src/main/java/org/traccar/api/resource/DeviceResource.java | 34 | ||||
| -rw-r--r-- | src/main/java/org/traccar/api/resource/UserResource.java | 10 |
2 files changed, 36 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/resource/DeviceResource.java b/src/main/java/org/traccar/api/resource/DeviceResource.java index 89bba7237..56253152f 100644 --- a/src/main/java/org/traccar/api/resource/DeviceResource.java +++ b/src/main/java/org/traccar/api/resource/DeviceResource.java @@ -62,6 +62,9 @@ import java.util.List; @Consumes(MediaType.APPLICATION_JSON) public class DeviceResource extends BaseObjectResource<Device> { + private static final int DEFAULT_BUFFER_SIZE = 8192; + private static final int IMAGE_SIZE_LIMIT = 500000; + @Inject private Config config; @@ -172,6 +175,23 @@ public class DeviceResource extends BaseObjectResource<Device> { return Response.noContent().build(); } + private String imageExtension(String type) { + switch (type) { + case "image/jpeg": + return "jpg"; + case "image/png": + return "png"; + case "image/gif": + return "gif"; + case "image/webp": + return "webp"; + case "image/svg+xml": + return "svg"; + default: + throw new IllegalArgumentException("Unsupported image type"); + } + } + @Path("{id}/image") @POST @Consumes("image/*") @@ -186,10 +206,20 @@ public class DeviceResource extends BaseObjectResource<Device> { new Condition.Permission(User.class, getUserId(), Device.class)))); if (device != null) { String name = "device"; - String extension = type.substring("image/".length()); + String extension = imageExtension(type); try (var input = new FileInputStream(file); var output = mediaManager.createFileStream(device.getUniqueId(), name, extension)) { - input.transferTo(output); + + long transferred = 0; + byte[] buffer = new byte[DEFAULT_BUFFER_SIZE]; + int read; + while ((read = input.read(buffer, 0, buffer.length)) >= 0) { + output.write(buffer, 0, read); + transferred += read; + if (transferred > IMAGE_SIZE_LIMIT) { + throw new IllegalArgumentException("Image size limit exceeded"); + } + } } return Response.ok(name + "." + extension).build(); } diff --git a/src/main/java/org/traccar/api/resource/UserResource.java b/src/main/java/org/traccar/api/resource/UserResource.java index 47ea9b07c..fbc31e46a 100644 --- a/src/main/java/org/traccar/api/resource/UserResource.java +++ b/src/main/java/org/traccar/api/resource/UserResource.java @@ -1,5 +1,5 @@ /* - * Copyright 2015 - 2022 Anton Tananaev (anton@traccar.org) + * Copyright 2015 - 2024 Anton Tananaev (anton@traccar.org) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -95,7 +95,9 @@ public class UserResource extends BaseObjectResource<User> { } } } else { - if (!permissionsService.getServer().getRegistration()) { + if (UserUtil.isEmpty(storage)) { + entity.setAdministrator(true); + } else if (!permissionsService.getServer().getRegistration()) { throw new SecurityException("Registration disabled"); } if (permissionsService.getServer().getBoolean(Keys.WEB_TOTP_FORCE.getKey()) @@ -106,10 +108,6 @@ public class UserResource extends BaseObjectResource<User> { } } - if (UserUtil.isEmpty(storage)) { - entity.setAdministrator(true); - } - entity.setId(storage.addObject(entity, new Request(new Columns.Exclude("id")))); storage.updateObject(entity, new Request( new Columns.Include("hashedPassword", "salt"), |