mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-05-08 04:48:27 -05:00
94f42bd6b2
Authoritative size now comes from the reader instead of the caller's claim in CreateWithMimeAndSession. The migration import path accepts attacker-controlled metadata (GHSA-qh78-rvg3-cv54), so trusting realsize for the limit check allowed oversized uploads to be accepted and stored. measureReaderSize leaves the reader seeked to 0 so the measured value matches the bytes storage backends will actually write.