limit the maximum size of upload pictures

conf/ezbookkeeping.ini

@@ -202,6 +202,9 @@ forget_password_require_email_verify = false
 # Set to true to allow users to upload transaction pictures
 enable_transaction_picture = true
 
+# Maximum allowed transaction picture file size (1 - 4294967295 bytes)
+max_transaction_picture_size = 10485760
+
 # Set to true to allow users to create scheduled transaction
 enable_scheduled_transaction = true
 
@@ -211,6 +214,9 @@ enable_scheduled_transaction = true
 # Leave blank if you want to disable user avatar
 avatar_provider = internal
 
+# For "internal" avatar provider only, maximum allowed user avatar file size (1 - 4294967295 bytes)
+max_user_avatar_size = 1048576
+
 [data]
 # Set to true to allow users to export their data
 enable_export = true

pkg/api/transaction_pictures.go

@@ -55,6 +55,11 @@ func (a *TransactionPicturesApi) TransactionPictureUploadHandler(c *core.WebCont
 		return nil, errs.ErrTransactionPictureIsEmpty
 	}
 
+	if pictureFiles[0].Size > int64(a.CurrentConfig().MaxTransactionPictureFileSize) {
+		log.Warnf(c, "[transaction_pictures.TransactionPictureUploadHandler] the upload file size \"%d\" exceeds the maximum size \"%d\" of transaction picture for user \"uid:%d\"", pictureFiles[0].Size, a.CurrentConfig().MaxTransactionPictureFileSize, uid)
+		return nil, errs.ErrExceedMaxTransactionPictureFileSize
+	}
+
 	fileExtension := utils.GetFileNameExtension(pictureFiles[0].Filename)
 
 	if utils.GetImageContentType(fileExtension) == "" {

pkg/api/users.go

@@ -544,6 +544,11 @@ func (a *UsersApi) UserUpdateAvatarHandler(c *core.WebContext) (any, *errs.Error
 		return nil, errs.ErrUserAvatarIsEmpty
 	}
 
+	if avatarFiles[0].Size > int64(a.CurrentConfig().MaxAvatarFileSize) {
+		log.Warnf(c, "[users.UserUpdateAvatarHandler] the upload file size \"%d\" exceeds the maximum size \"%d\" of user avatar for user \"uid:%d\"", avatarFiles[0].Size, a.CurrentConfig().MaxAvatarFileSize, uid)
+		return nil, errs.ErrExceedMaxUserAvatarFileSize
+	}
+
 	fileExtension := utils.GetFileNameExtension(avatarFiles[0].Filename)
 
 	if utils.GetImageContentType(fileExtension) == "" {

pkg/errs/transaction.go

@@ -29,4 +29,5 @@ var (
 	ErrCannotUseHiddenTransactionTag                       = NewNormalError(NormalSubcategoryTransaction, 22, http.StatusBadRequest, "cannot use hidden transaction tag")
 	ErrTransactionHasTooManyTags                           = NewNormalError(NormalSubcategoryTransaction, 23, http.StatusBadRequest, "transaction has too many tags")
 	ErrTransactionHasTooManyPictures                       = NewNormalError(NormalSubcategoryTransaction, 24, http.StatusBadRequest, "transaction has too many pictures")
+	ErrExceedMaxTransactionPictureFileSize                 = NewNormalError(NormalSubcategoryTransaction, 25, http.StatusBadRequest, "exceed the maximum size of transaction picture file")
 )

pkg/errs/user.go

@@ -36,4 +36,5 @@ var (
 	ErrUserAvatarNoExists                                  = NewNormalError(NormalSubcategoryUser, 27, http.StatusNotFound, "user avatar not exists")
 	ErrUserAvatarNotSet                                    = NewNormalError(NormalSubcategoryUser, 28, http.StatusNotFound, "user avatar not set")
 	ErrUserAvatarExtensionInvalid                          = NewNormalError(NormalSubcategoryUser, 29, http.StatusNotFound, "user avatar file extension invalid")
+	ErrExceedMaxUserAvatarFileSize                         = NewNormalError(NormalSubcategoryUser, 30, http.StatusBadRequest, "exceed the maximum size of user avatar file")
 )

pkg/settings/setting.go

@@ -135,6 +135,9 @@ const (
 	defaultEmailVerifyTokenExpiredTime   uint32 = 3600    // 60 minutes
 	defaultPasswordResetTokenExpiredTime uint32 = 3600    // 60 minutes
 
+	defaultTransactionPictureFileMaxSize uint32 = 10485760 // 10MB
+	defaultUserAvatarFileMaxSize         uint32 = 1048576  // 1MB
+
 	defaultExchangeRatesDataRequestTimeout uint32 = 10000 // 10 seconds
 )
 
@@ -273,8 +276,10 @@ type Config struct {
 	EnableUserForgetPassword         bool
 	ForgetPasswordRequireVerifyEmail bool
 	EnableTransactionPictures        bool
+	MaxTransactionPictureFileSize    uint32
 	EnableScheduledTransaction       bool
 	AvatarProvider                   core.UserAvatarProviderType
+	MaxAvatarFileSize                uint32
 
 	// Data
 	EnableDataExport bool
@@ -743,6 +748,7 @@ func loadUserConfiguration(config *Config, configFile *ini.File, sectionName str
 	config.EnableUserForgetPassword = getConfigItemBoolValue(configFile, sectionName, "enable_forget_password", false)
 	config.ForgetPasswordRequireVerifyEmail = getConfigItemBoolValue(configFile, sectionName, "forget_password_require_email_verify", false)
 	config.EnableTransactionPictures = getConfigItemBoolValue(configFile, sectionName, "enable_transaction_picture", false)
+	config.MaxTransactionPictureFileSize = getConfigItemUint32Value(configFile, sectionName, "max_transaction_picture_size", defaultTransactionPictureFileMaxSize)
 	config.EnableScheduledTransaction = getConfigItemBoolValue(configFile, sectionName, "enable_scheduled_transaction", false)
 
 	if getConfigItemStringValue(configFile, sectionName, "avatar_provider") == string(core.USER_AVATAR_PROVIDER_INTERNAL) {
@@ -755,6 +761,8 @@ func loadUserConfiguration(config *Config, configFile *ini.File, sectionName str
 		return errs.ErrInvalidAvatarProvider
 	}
 
+	config.MaxAvatarFileSize = getConfigItemUint32Value(configFile, sectionName, "max_user_avatar_size", defaultUserAvatarFileMaxSize)
+
 	return nil
 }
 

src/locales/en.json

@@ -1008,6 +1008,7 @@
         "user avatar not exists": "User avatar does not exist",
         "user avatar not set": "User avatar is not set",
         "user avatar file extension invalid": "User avatar file extension is invalid",
+        "exceed the maximum size of user avatar file": "The uploaded user avatar exceeds the maximum allowed file size",
         "unauthorized access": "Unauthorized access",
         "current token is invalid": "Current token is invalid",
         "current token is expired": "Current token is expired",
@@ -1067,6 +1068,7 @@
         "cannot use hidden transaction tag": "You cannot use hidden transaction tag",
         "transaction has too many tags": "There are too many tags in this transaction",
         "transaction has too many pictures": "There are too many pictures in this transaction",
+        "exceed the maximum size of transaction picture file": "The uploaded transaction picture exceeds the maximum allowed file size",
         "transaction category id is invalid": "Transaction category ID is invalid",
         "transaction category not found": "Transaction category is not found",
         "transaction category type is invalid": "Transaction category type is invalid",

src/locales/zh_Hans.json

@@ -1008,6 +1008,7 @@
         "user avatar not exists": "用户头像不存在",
         "user avatar not set": "用户没有设置头像",
         "user avatar file extension invalid": "用户头像文件扩展名无效",
+        "exceed the maximum size of user avatar file": "上传的用户头像超出了允许的最大文件大小",
         "unauthorized access": "未授权的登录",
         "current token is invalid": "当前认证令牌无效",
         "current token is expired": "当前认证令牌已过期",
@@ -1067,6 +1068,7 @@
         "cannot use hidden transaction tag": "您不能使用隐藏的交易标签",
         "transaction has too many tags": "交易中的标签过多",
         "transaction has too many pictures": "交易中的图片过多",
+        "exceed the maximum size of transaction picture file": "上传的交易图片超出了允许的最大文件大小",
         "transaction category id is invalid": "交易分类ID无效",
         "transaction category not found": "交易分类不存在",
         "transaction category type is invalid": "交易分类类型无效",