Use controllers to serve uploads, with XSS prevention and access control.

1 files changed, 12 insertions, 0 deletions

diff --git a/config/routes.rb b/config/routes.rb
index 65786d83566..0e7f7d893d4 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -69,7 +69,19 @@ Gitlab::Application.routes.draw do
     end
   end
 
+  #
+  # Uploads
+  #
 
+  scope path: :uploads do
+    # Note attachments and User/Group/Project avatars
+    get ":model/:mounted_as/:id/:filename", to: "uploads#show", 
+      constraints: { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /.+/ }
+
+    # Project markdown uploads
+    get ":id/:secret/:filename", to: "projects/uploads#show", 
+      constraints: { id: /[a-zA-Z.0-9_\-]+\/[a-zA-Z.0-9_\-]+/, filename: /.+/ }
+  end
 
   #
   # Explore area