diff options
author | DJ Mountney <david@twkie.net> | 2017-06-07 20:32:38 -0700 |
---|---|---|
committer | Bob Van Landuyt <bob@gitlab.com> | 2017-06-08 16:17:13 +0200 |
commit | 565ead610215d32fc6fe57a78f595fad51588e49 (patch) | |
tree | 040b6ab1e70def196f0d9b344ed91ca29dae9f88 /app/uploaders | |
parent | ba564a09d73dce3a6696dfeb55e78648ae23e627 (diff) | |
download | gitlab-ce-565ead610215d32fc6fe57a78f595fad51588e49.tar.gz |
Bring in security changes from the 9.2.5 release
Ran:
- git format-patch v9.2.2..v9.2.5 --stdout > patchfile.patch
- git checkout -b 9-2-5-security-patch origin/v9.2.2
- git apply patchfile.patch
- git commit
- [Got the sha ref for the commit]
- git checkout -b upstream-9-2-security master
- git cherry-pick <SHA of the patchfile commit>
- [Resolved conflicts]
- git cherry-pick --continue
Diffstat (limited to 'app/uploaders')
-rw-r--r-- | app/uploaders/file_uploader.rb | 7 | ||||
-rw-r--r-- | app/uploaders/gitlab_uploader.rb | 18 |
2 files changed, 21 insertions, 4 deletions
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb index 7e94218c23d..652277e3b78 100644 --- a/app/uploaders/file_uploader.rb +++ b/app/uploaders/file_uploader.rb @@ -13,6 +13,13 @@ class FileUploader < GitlabUploader ) end + # Not using `GitlabUploader.base_dir` because all project namespaces are in + # the `public/uploads` dir. + # + def self.base_dir + root_dir + end + # Returns the part of `store_dir` that can change based on the model's current # path # diff --git a/app/uploaders/gitlab_uploader.rb b/app/uploaders/gitlab_uploader.rb index 02afddb8c6a..489613030e6 100644 --- a/app/uploaders/gitlab_uploader.rb +++ b/app/uploaders/gitlab_uploader.rb @@ -3,16 +3,26 @@ class GitlabUploader < CarrierWave::Uploader::Base File.join(CarrierWave.root, upload_record.path) end - def self.base_dir + def self.root_dir 'uploads' end - delegate :base_dir, to: :class + # When object storage is used, keep the `root_dir` as `base_dir`. + # The files aren't really in folders there, they just have a name. + # The files that contain user input in their name, also contain a hash, so + # the names are still unique + # + # This method is overridden in the `FileUploader` + def self.base_dir + return root_dir unless file_storage? + end - def file_storage? - storage.is_a?(CarrierWave::Storage::File) + def self.file_storage? + self.storage.is_a?(CarrierWave::Storage::File) end + delegate :base_dir, :file_storage?, to: :class + def file_cache_storage? cache_storage.is_a?(CarrierWave::Storage::File) end |