summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changelogs/unreleased/jprovazn-upload-symlink.yml5
-rw-r--r--lib/gitlab/middleware/multipart.rb2
-rw-r--r--lib/uploaded_file.rb5
3 files changed, 9 insertions, 3 deletions
diff --git a/changelogs/unreleased/jprovazn-upload-symlink.yml b/changelogs/unreleased/jprovazn-upload-symlink.yml
new file mode 100644
index 00000000000..265791d332f
--- /dev/null
+++ b/changelogs/unreleased/jprovazn-upload-symlink.yml
@@ -0,0 +1,5 @@
+---
+title: Add /uploads subdirectory to allowed upload paths.
+merge_request:
+author:
+type: fixed
diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb
index 9753be6d5c3..18f91db98fc 100644
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@@ -84,7 +84,7 @@ module Gitlab
def open_file(params, key)
::UploadedFile.from_params(
params, key,
- Gitlab.config.uploads.storage_path)
+ [FileUploader.root, Gitlab.config.uploads.storage_path])
end
end
diff --git a/lib/uploaded_file.rb b/lib/uploaded_file.rb
index 5dc85b2baea..0172461670b 100644
--- a/lib/uploaded_file.rb
+++ b/lib/uploaded_file.rb
@@ -28,7 +28,7 @@ class UploadedFile
@tempfile = File.new(path, 'rb')
end
- def self.from_params(params, field, upload_path)
+ def self.from_params(params, field, upload_paths)
unless params["#{field}.path"]
raise InvalidPathError, "file is invalid" if params["#{field}.remote_id"]
@@ -37,7 +37,8 @@ class UploadedFile
file_path = File.realpath(params["#{field}.path"])
- unless self.allowed_path?(file_path, [upload_path, Dir.tmpdir].compact)
+ paths = Array.wrap(upload_paths) << Dir.tmpdir
+ unless self.allowed_path?(file_path, paths.compact)
raise InvalidPathError, "insecure path used '#{file_path}'"
end