The upload-by-URL path did not enforce NC ATTACHMENT FIELD SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit.

The attachments service now checks NC ATTACHMENT FIELD SIZE against both the HEAD response's content-length and the decoded length of a data: URI body before fetching. The local storage plugin additionally sets maxContentLength on the axios download so a malicious server cannot stream past the limit.

Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.

This issue was reported by @bugbunny-research.