mirror of
https://github.com/axllent/mailpit.git
synced 2026-06-28 06:56:06 +00:00
5754c821d3
The fix for GHSA-fpxj-m5q8-fphw only capped POST /api/v1/send. Four sibling endpoints (SetReadStatus, DeleteMessages, SetMessageTags, ReleaseMessage) decoded json.NewDecoder(r.Body) with no size limit, allowing an unauthenticated attacker to drive unbounded memory growth via a large IDs array. Apply a 5 MB cap in middleWareFunc so all current and future API handlers inherit it automatically. POST /api/v1/send is exempt via a bodyLimitKey context value set in sendAPIAuthMiddleware, preserving its existing config.MaxMessageSize (default 50 MB) limit. Also fix TestAPIv1SendMaxMessageSize, which was broken by a Go 1.26 change: json.Decoder now wraps reader errors in *json.SyntaxError rather than returning *http.MaxBytesError directly, causing the errors.As check to miss it and return 400 instead of 413. Reading the body with io.ReadAll before decoding surfaces the raw error, restoring correct 413 behaviour on Go 1.25 and 1.26.