Improve validation of X-Gitlab-Lfs-Tmp header

author: Jacob Vosmaer <jacob@gitlab.com> 2016-08-10 17:40:20 +0200
committer: Jacob Vosmaer <jacob@gitlab.com> 2016-08-10 17:40:20 +0200
commit: 26b98bfff8c5bb7048bcbec46e028e30c46bccc5 (patch)
tree: 59efd9360829381150e96d5e7230b61e107777fc /app/controllers
parent: f817eecb22517ece0344977d00ecc7ddfff30594 (diff)
download: gitlab-ce-26b98bfff8c5bb7048bcbec46e028e30c46bccc5.tar.gz
1 files changed, 3 insertions, 7 deletions
diff --git a/app/controllers/projects/lfs_storage_controller.rb b/app/controllers/projects/lfs_storage_controller.rb
index a80fa525631..69066cb40e6 100644
--- a/app/controllers/projects/lfs_storage_controller.rb
+++ b/app/controllers/projects/lfs_storage_controller.rb
@@ -58,13 +58,9 @@ class Projects::LfsStorageController < Projects::GitHttpClientController
 
   def tmp_filename
     name = request.headers['X-Gitlab-Lfs-Tmp']
-    if name.present?
-      name.gsub!(/^.*(\\|\/)/, '')
-      name = name.match(/[0-9a-f]{73}/)
-      name[0] if name
-    else
-      nil
-    end
+    return if name.include?('/')
+    return unless oid.present? && name.start_with?(oid)
+    name
   end
 
   def store_file(oid, size, tmp_file)
author	Jacob Vosmaer <jacob@gitlab.com>	2016-08-10 17:40:20 +0200
committer	Jacob Vosmaer <jacob@gitlab.com>	2016-08-10 17:40:20 +0200
commit	26b98bfff8c5bb7048bcbec46e028e30c46bccc5 (patch)
tree	59efd9360829381150e96d5e7230b61e107777fc /app/controllers
parent	f817eecb22517ece0344977d00ecc7ddfff30594 (diff)
download	gitlab-ce-26b98bfff8c5bb7048bcbec46e028e30c46bccc5.tar.gz