diff options
author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-07-31 22:28:48 +0200 |
---|---|---|
committer | Jan Provaznik <jprovaznik@gitlab.com> | 2018-08-21 17:39:46 +0200 |
commit | 4ca9f3b417e32c557c182f1ee45b3c3f694174db (patch) | |
tree | d603934a7f1e2479da2ea914aa50f3ab14b27030 /lib/gitlab/middleware | |
parent | d2590b154228ed49dd4a949c889fb6234343ec94 (diff) | |
download | gitlab-ce-4ca9f3b417e32c557c182f1ee45b3c3f694174db.tar.gz |
Add public/uploads/tmp to allowed upload pathsjprovazn-fix-form-uploads
When direct_upload is enabled and a for file is being uploaded,
then workhorse uses `public/uploads/tmp` path. If `uploads.storage_path`
i sset to a different directory, then upload fails because
`public/uploads/tmp` is not in allowed paths.
Diffstat (limited to 'lib/gitlab/middleware')
-rw-r--r-- | lib/gitlab/middleware/multipart.rb | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb index 18f91db98fc..3d588918adf 100644 --- a/lib/gitlab/middleware/multipart.rb +++ b/lib/gitlab/middleware/multipart.rb @@ -82,9 +82,13 @@ module Gitlab end def open_file(params, key) - ::UploadedFile.from_params( - params, key, - [FileUploader.root, Gitlab.config.uploads.storage_path]) + allowed_paths = [ + FileUploader.root, + Gitlab.config.uploads.storage_path, + File.join(Rails.root, 'public/uploads/tmp') + ] + + ::UploadedFile.from_params(params, key, allowed_paths) end end |