diff options
| author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-07-31 22:28:48 +0200 |
|---|---|---|
| committer | Jan Provaznik <jprovaznik@gitlab.com> | 2018-08-21 17:39:46 +0200 |
| commit | 4ca9f3b417e32c557c182f1ee45b3c3f694174db (patch) | |
| tree | d603934a7f1e2479da2ea914aa50f3ab14b27030 | |
| parent | d2590b154228ed49dd4a949c889fb6234343ec94 (diff) | |
| download | gitlab-ce-jprovazn-fix-form-uploads.tar.gz | |
Add public/uploads/tmp to allowed upload pathsjprovazn-fix-form-uploads
When direct_upload is enabled and a for file is being uploaded,
then workhorse uses `public/uploads/tmp` path. If `uploads.storage_path`
i sset to a different directory, then upload fails because
`public/uploads/tmp` is not in allowed paths.
| -rw-r--r-- | changelogs/unreleased/jprovazn-fix-form-uploads.yml | 5 | ||||
| -rw-r--r-- | lib/gitlab/middleware/multipart.rb | 10 | ||||
| -rw-r--r-- | spec/lib/gitlab/middleware/multipart_spec.rb | 20 |
3 files changed, 32 insertions, 3 deletions
diff --git a/changelogs/unreleased/jprovazn-fix-form-uploads.yml b/changelogs/unreleased/jprovazn-fix-form-uploads.yml new file mode 100644 index 00000000000..8bcee335e93 --- /dev/null +++ b/changelogs/unreleased/jprovazn-fix-form-uploads.yml @@ -0,0 +1,5 @@ +--- +title: Accept upload files in public/uplaods/tmp when using accelerated uploads. +merge_request: +author: +type: fixed diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb index 18f91db98fc..3d588918adf 100644 --- a/lib/gitlab/middleware/multipart.rb +++ b/lib/gitlab/middleware/multipart.rb @@ -82,9 +82,13 @@ module Gitlab end def open_file(params, key) - ::UploadedFile.from_params( - params, key, - [FileUploader.root, Gitlab.config.uploads.storage_path]) + allowed_paths = [ + FileUploader.root, + Gitlab.config.uploads.storage_path, + File.join(Rails.root, 'public/uploads/tmp') + ] + + ::UploadedFile.from_params(params, key, allowed_paths) end end diff --git a/spec/lib/gitlab/middleware/multipart_spec.rb b/spec/lib/gitlab/middleware/multipart_spec.rb index f788f8ee276..daf454665b0 100644 --- a/spec/lib/gitlab/middleware/multipart_spec.rb +++ b/spec/lib/gitlab/middleware/multipart_spec.rb @@ -75,6 +75,26 @@ describe Gitlab::Middleware::Multipart do it_behaves_like 'multipart upload files' end + it 'allows files in uploads/tmp directory' do + Dir.mktmpdir do |dir| + uploads_dir = File.join(dir, 'public/uploads/tmp') + FileUtils.mkdir_p(uploads_dir) + + allow(Rails).to receive(:root).and_return(dir) + allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir')) + + Tempfile.open('top-level', uploads_dir) do |tempfile| + env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse') + + expect(app).to receive(:call) do |env| + expect(Rack::Request.new(env).params['file']).to be_a(::UploadedFile) + end + + middleware.call(env) + end + end + end + it 'allows symlinks for uploads dir' do Tempfile.open('two-levels') do |tempfile| symlinked_dir = '/some/dir/uploads' |