From 9736649244b6f60b014f386ff96200fd2fc7c046 Mon Sep 17 00:00:00 2001
From: Petr Sloup <slouppetr@gmail.com>
Date: Wed, 9 Mar 2016 13:21:34 +0100
Subject: [PATCH] Stronger checking of request parameters and stability
 improvements

---
 src/serve_raster.js |  8 +++++++-
 src/serve_vector.js | 36 +++++++++++++++++-------------------
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/src/serve_raster.js b/src/serve_raster.js
index 2a90aca..2138e51 100644
--- a/src/serve_raster.js
+++ b/src/serve_raster.js
@@ -185,11 +185,17 @@ module.exports = function(maps, options, prefix) {
     .replace('{format}', ':format([\\w\\.]+)');
 
   var respondImage = function(z, lon, lat, width, height, scale, format, res, next) {
+    if (Math.abs(lon) > 180 || Math.abs(lat) > 85.06) {
+      return res.status(400).send('Invalid center');
+    }
+    if (width <= 0 || height <= 0 || width > 2048 || height > 2048) {
+      return res.status(400).send('Invalid size');
+    }
     if (format == 'png' || format == 'webp') {
     } else if (format == 'jpg' || format == 'jpeg') {
       format = 'jpeg';
     } else {
-      return res.status(404).send('Invalid format');
+      return res.status(400).send('Invalid format');
     }
 
     var pool = map.renderers[scale];
diff --git a/src/serve_vector.js b/src/serve_vector.js
index 2b43d30..337b276 100644
--- a/src/serve_vector.js
+++ b/src/serve_vector.js
@@ -41,38 +41,36 @@ module.exports = function(maps, options, prefix) {
     .replace('{x}', ':x(\\d+)')
     .replace('{y}', ':y(\\d+)');
 
-  var getTile = function(z, x, y, callback) {
+  app.get(tilePattern, function(req, res, next) {
+    var z = req.params.z | 0,
+        x = req.params.x | 0,
+        y = req.params.y | 0;
+    if (z < map.tileJSON.minzoom || 0 || x < 0 || y < 0 ||
+        z > map.tileJSON.maxzoom ||
+        x >= Math.pow(2, z) || y >= Math.pow(2, z)) {
+      return res.status(404).send('Out of bounds');
+    }
     source.getTile(z, x, y, function(err, data, headers) {
       if (err) {
-        callback(err);
+        if (/does not exist/.test(err.message)) {
+          return res.status(404).send(err.message);
+        } else {
+          return res.status(500).send(err.message);
+        }
       } else {
         var md5 = crypto.createHash('md5').update(data).digest('base64');
         headers['content-md5'] = md5;
         headers['content-type'] = 'application/x-protobuf';
         headers['content-encoding'] = 'gzip';
+        res.set(headers);
 
-        callback(null, data, headers);
-      }
-    });
-  };
-
-  app.get(tilePattern, function(req, res, next) {
-    var z = req.params.z | 0,
-        x = req.params.x | 0,
-        y = req.params.y | 0;
-    return getTile(z, x, y, function(err, data, headers) {
-        if (err) {
-          return next(err);
-        }
-        if (headers) {
-          res.set(headers);
-        }
         if (data == null) {
           return res.status(404).send('Not found');
         } else {
           return res.status(200).send(data);
         }
-    }, res, next);
+      }
+    });
   });
 
   app.get('/index.json', function(req, res, next) {