diff options
| author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-07-07 19:30:16 +0200 |
|---|---|---|
| committer | Jan Provaznik <jprovaznik@gitlab.com> | 2018-07-08 10:43:57 +0200 |
| commit | e2ec97a92e6393dd0adeed39c77ff2b4eba0aed9 (patch) | |
| tree | 972840ffe1bb8787b27d2d5b837b64d606d1b5a7 | |
| parent | 96eb6fd33b5dfc4910d8bd93e697d6b6eb70b991 (diff) | |
| download | gitlab-ce-e2ec97a92e6393dd0adeed39c77ff2b4eba0aed9.tar.gz | |
Add FileUploader.root to allowed upload paths
Currently we check if uploaded file is under
`Gitlab.config.uploads.storage_path`, the problem is that
uploads are placed in `uploads` subdirectory which is symlink.
In allow_path? method we check real (expanded) paths, which causes
that `Gitlab.config.uploads.storage_path` is expaned into symlink
path and there is a mismatch with upload file path.
By adding `Gitlab.config.uploads.storage_path/uploads` into allowed
paths, this path is expaned during path check.
`Gitlab.config.uploads.storage_path` is left there intentionally in case
some uploader wouldn't use `uploads` subdir.
| -rw-r--r-- | changelogs/unreleased/jprovazn-upload-symlink.yml | 5 | ||||
| -rw-r--r-- | lib/gitlab/middleware/multipart.rb | 2 | ||||
| -rw-r--r-- | lib/uploaded_file.rb | 5 |
3 files changed, 9 insertions, 3 deletions
diff --git a/changelogs/unreleased/jprovazn-upload-symlink.yml b/changelogs/unreleased/jprovazn-upload-symlink.yml new file mode 100644 index 00000000000..265791d332f --- /dev/null +++ b/changelogs/unreleased/jprovazn-upload-symlink.yml @@ -0,0 +1,5 @@ +--- +title: Add /uploads subdirectory to allowed upload paths. +merge_request: +author: +type: fixed diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb index 9753be6d5c3..18f91db98fc 100644 --- a/lib/gitlab/middleware/multipart.rb +++ b/lib/gitlab/middleware/multipart.rb @@ -84,7 +84,7 @@ module Gitlab def open_file(params, key) ::UploadedFile.from_params( params, key, - Gitlab.config.uploads.storage_path) + [FileUploader.root, Gitlab.config.uploads.storage_path]) end end diff --git a/lib/uploaded_file.rb b/lib/uploaded_file.rb index 5dc85b2baea..0172461670b 100644 --- a/lib/uploaded_file.rb +++ b/lib/uploaded_file.rb @@ -28,7 +28,7 @@ class UploadedFile @tempfile = File.new(path, 'rb') end - def self.from_params(params, field, upload_path) + def self.from_params(params, field, upload_paths) unless params["#{field}.path"] raise InvalidPathError, "file is invalid" if params["#{field}.remote_id"] @@ -37,7 +37,8 @@ class UploadedFile file_path = File.realpath(params["#{field}.path"]) - unless self.allowed_path?(file_path, [upload_path, Dir.tmpdir].compact) + paths = Array.wrap(upload_paths) << Dir.tmpdir + unless self.allowed_path?(file_path, paths.compact) raise InvalidPathError, "insecure path used '#{file_path}'" end |