From 6a3b1a526eb1a3ea49aca7914ed7ba8736c52059 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@FreeBSD.org>
Date: Thu, 15 Aug 2019 15:34:41 -0500
Subject: [PATCH 1/3] max_body_size -> max_body_length, as it should be

---
 lib/pleroma/reverse_proxy/reverse_proxy.ex | 4 ++--
 test/reverse_proxy_test.exs                | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/pleroma/reverse_proxy/reverse_proxy.ex b/lib/pleroma/reverse_proxy/reverse_proxy.ex
index 1f98f215c..7518e4c3c 100644
--- a/lib/pleroma/reverse_proxy/reverse_proxy.ex
+++ b/lib/pleroma/reverse_proxy/reverse_proxy.ex
@@ -109,7 +109,7 @@ defmodule Pleroma.ReverseProxy do
       end
 
     with {:ok, code, headers, client} <- request(method, url, req_headers, hackney_opts),
-         :ok <- header_length_constraint(headers, Keyword.get(opts, :max_body_length)) do
+         :ok <- header_length_constraint(headers, Keyword.get(opts, :max_body_length, @max_body_length)) do
       response(conn, client, url, code, headers, opts)
     else
       {:ok, code, headers} ->
@@ -200,7 +200,7 @@ defmodule Pleroma.ReverseProxy do
          {:ok, data} <- client().stream_body(client),
          {:ok, duration} <- increase_read_duration(duration),
          sent_so_far = sent_so_far + byte_size(data),
-         :ok <- body_size_constraint(sent_so_far, Keyword.get(opts, :max_body_size)),
+         :ok <- body_size_constraint(sent_so_far, Keyword.get(opts, :max_body_length, @max_body_length)),
          {:ok, conn} <- chunk(conn, data) do
       chunk_reply(conn, client, opts, sent_so_far, duration)
     else
diff --git a/test/reverse_proxy_test.exs b/test/reverse_proxy_test.exs
index f4b7d6add..3a83c4c48 100644
--- a/test/reverse_proxy_test.exs
+++ b/test/reverse_proxy_test.exs
@@ -108,11 +108,11 @@ defmodule Pleroma.ReverseProxyTest do
       end
     end
 
-    test "max_body_size returns error if streaming body more than that option", %{conn: conn} do
+    test "max_body_length returns error if streaming body more than that option", %{conn: conn} do
       stream_mock(3, true)
 
       assert capture_log(fn ->
-               ReverseProxy.call(conn, "/stream-bytes/50", max_body_size: 30)
+               ReverseProxy.call(conn, "/stream-bytes/50", max_body_length: 30)
              end) =~
                "[warn] Elixir.Pleroma.ReverseProxy request to /stream-bytes/50 failed while reading/chunking: :body_too_large"
     end

From ef82f868d9c435d6a9498aea0271e032d3c6c1a3 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@FreeBSD.org>
Date: Fri, 16 Aug 2019 10:00:18 -0500
Subject: [PATCH 2/3] Formatting

---
 lib/pleroma/reverse_proxy/reverse_proxy.ex | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/reverse_proxy/reverse_proxy.ex b/lib/pleroma/reverse_proxy/reverse_proxy.ex
index 7518e4c3c..03efad30a 100644
--- a/lib/pleroma/reverse_proxy/reverse_proxy.ex
+++ b/lib/pleroma/reverse_proxy/reverse_proxy.ex
@@ -109,7 +109,11 @@ defmodule Pleroma.ReverseProxy do
       end
 
     with {:ok, code, headers, client} <- request(method, url, req_headers, hackney_opts),
-         :ok <- header_length_constraint(headers, Keyword.get(opts, :max_body_length, @max_body_length)) do
+         :ok <-
+           header_length_constraint(
+             headers,
+             Keyword.get(opts, :max_body_length, @max_body_length)
+           ) do
       response(conn, client, url, code, headers, opts)
     else
       {:ok, code, headers} ->
@@ -200,7 +204,11 @@ defmodule Pleroma.ReverseProxy do
          {:ok, data} <- client().stream_body(client),
          {:ok, duration} <- increase_read_duration(duration),
          sent_so_far = sent_so_far + byte_size(data),
-         :ok <- body_size_constraint(sent_so_far, Keyword.get(opts, :max_body_length, @max_body_length)),
+         :ok <-
+           body_size_constraint(
+             sent_so_far,
+             Keyword.get(opts, :max_body_length, @max_body_length)
+           ),
          {:ok, conn} <- chunk(conn, data) do
       chunk_reply(conn, client, opts, sent_so_far, duration)
     else

From cb222b72b39ae4dc887657d1eae03d0360cbd429 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@FreeBSD.org>
Date: Fri, 16 Aug 2019 10:28:07 -0500
Subject: [PATCH 3/3] Add changelog entry too

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 358287096..d47e98cd4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,6 +42,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Pleroma.Upload base_url was not automatically whitelisted by MediaProxy. Now your custom CDN or file hosting will be accessed directly as expected.
 - Report email not being sent to admins when the reporter is a remote user
 - MRF: ensure that subdomain_match calls are case-insensitive
+- Reverse Proxy limiting `max_body_length` was incorrectly defined and only checked `Content-Length` headers which may not be sufficient in some circumstances
 
 ### Added
 - **Breaking:** MRF describe API, which adds support for exposing configuration information about MRF policies to NodeInfo.