diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 328d78e2ca..fdba955bc4 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -311,6 +311,8 @@ LFS_CONTENT_PATH = data/lfs LFS_JWT_SECRET = ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail. LFS_HTTP_AUTH_EXPIRY = 20m +; Maximum allowed LFS file size in bytes (Set to 0 for no limit). +LFS_MAX_FILE_SIZE = 0 ; Allow graceful restarts using SIGHUP to fork ALLOW_GRACEFUL_RESTARTS = true ; After a restart the parent will finish ongoing requests before diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index e58a459e4e..45a4535c23 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -192,6 +192,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files. - `LFS_JWT_SECRET`: **\**: LFS authentication secret, change this a unique string. - `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail. +- `LFS_MAX_FILE_SIZE`: **0**: Maximum allowed LFS file size in bytes (Set to 0 for no limit). - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on. - `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true. - `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server). diff --git a/modules/lfs/server.go b/modules/lfs/server.go index dc498a86c8..d6798ec4f5 100644 --- a/modules/lfs/server.go +++ b/modules/lfs/server.go @@ -233,6 +233,12 @@ func PostHandler(ctx *context.Context) { return } + if setting.LFS.MaxFileSize > 0 && rv.Size > setting.LFS.MaxFileSize { + log.Info("Denied LFS upload of size %d to %s/%s because of LFS_MAX_FILE_SIZE=%d", rv.Size, rv.User, rv.Repo, setting.LFS.MaxFileSize) + writeStatus(ctx, 413) + return + } + meta, err := models.NewLFSMetaObject(&models.LFSMetaObject{Oid: rv.Oid, Size: rv.Size, RepositoryID: repository.ID}) if err != nil { writeStatus(ctx, 404) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 714015c475..64051ce215 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -140,6 +140,7 @@ var ( JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` JWTSecretBytes []byte `ini:"-"` HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"` + MaxFileSize int64 `ini:"LFS_MAX_FILE_SIZE"` } // Security settings