Merge branch 'jprovazn-fix-form-uploads' into 'master'

Add public/uploads/tmp to allowed upload paths Closes #49585 See merge request gitlab-org/gitlab-ce!20942
author: Kamil Trzciński <ayufan@ayufan.eu> 2018-08-23 06:53:50 +0000
committer: Kamil Trzciński <ayufan@ayufan.eu> 2018-08-23 06:53:50 +0000
commit: 1d71d5046be5ac07fadb52536e122cbd8bf55c77 (patch)
tree: eefd7b395787630027ed3757dfbbcf627d0e9c72 /lib
parent: d4faf530385742bb2aedd4077807793344e3e97b (diff)
parent: 4ca9f3b417e32c557c182f1ee45b3c3f694174db (diff)
download: gitlab-ce-1d71d5046be5ac07fadb52536e122cbd8bf55c77.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb
index 18f91db98fc..3d588918adf 100644
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@@ -82,9 +82,13 @@ module Gitlab
         end
 
         def open_file(params, key)
-          ::UploadedFile.from_params(
-            params, key,
-            [FileUploader.root, Gitlab.config.uploads.storage_path])
+          allowed_paths = [
+            FileUploader.root,
+            Gitlab.config.uploads.storage_path,
+            File.join(Rails.root, 'public/uploads/tmp')
+          ]
+
+          ::UploadedFile.from_params(params, key, allowed_paths)
         end
       end
author	Kamil Trzciński <ayufan@ayufan.eu>	2018-08-23 06:53:50 +0000
committer	Kamil Trzciński <ayufan@ayufan.eu>	2018-08-23 06:53:50 +0000
commit	1d71d5046be5ac07fadb52536e122cbd8bf55c77 (patch)
tree	eefd7b395787630027ed3757dfbbcf627d0e9c72 /lib
parent	d4faf530385742bb2aedd4077807793344e3e97b (diff)
parent	4ca9f3b417e32c557c182f1ee45b3c3f694174db (diff)
download	gitlab-ce-1d71d5046be5ac07fadb52536e122cbd8bf55c77.tar.gz