From 16b0ca3a8e8c29ab3fb3e4995017e1df128e26c1 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 4 Apr 2021 10:42:03 -0700 Subject: [PATCH] Use io#LimitReader to avoid panic when reading files with active writes; closes pterodactyl/panel#3131 --- router/router_server_files.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/router/router_server_files.go b/router/router_server_files.go index 8d4d1a5..097da2f 100644 --- a/router/router_server_files.go +++ b/router/router_server_files.go @@ -3,6 +3,7 @@ package router import ( "bufio" "context" + "io" "mime/multipart" "net/http" "net/url" @@ -43,8 +44,16 @@ func getServerFileContents(c *gin.Context) { c.Header("Content-Type", "application/octet-stream") } defer c.Writer.Flush() - _, err = bufio.NewReader(f).WriteTo(c.Writer) - if err != nil { + // If you don't do a limited reader here you will trigger a panic on write when + // a different server process writes content to the file after you've already + // determined the file size. This could lead to some weird content output but + // it would technically be accurate based on the content at the time of the request. + // + // "http: wrote more than the declared Content-Length" + // + // @see https://github.com/pterodactyl/panel/issues/3131 + r := io.LimitReader(f, st.Size()) + if _, err = bufio.NewReader(r).WriteTo(c.Writer); err != nil { // Pretty sure this will unleash chaos on the response, but its a risk we can // take since a panic will at least be recovered and this should be incredibly // rare?