diff options
Diffstat (limited to 'app/uploaders')
-rw-r--r-- | app/uploaders/file_uploader.rb | 2 | ||||
-rw-r--r-- | app/uploaders/uploader_helper.rb | 9 |
2 files changed, 9 insertions, 2 deletions
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb index 47bef7cd1e4..23b7318827c 100644 --- a/app/uploaders/file_uploader.rb +++ b/app/uploaders/file_uploader.rb @@ -36,7 +36,7 @@ class FileUploader < GitlabUploader escaped_filename = filename.gsub("]", "\\]") markdown = "[#{escaped_filename}](#{self.secure_url})" - markdown.prepend("!") if image_or_video? + markdown.prepend("!") if image_or_video? || dangerous? { alt: filename, diff --git a/app/uploaders/uploader_helper.rb b/app/uploaders/uploader_helper.rb index fbaea2744a3..35fd1ed23f8 100644 --- a/app/uploaders/uploader_helper.rb +++ b/app/uploaders/uploader_helper.rb @@ -1,12 +1,15 @@ # Extra methods for uploader module UploaderHelper - IMAGE_EXT = %w[png jpg jpeg gif bmp tiff svg] + IMAGE_EXT = %w[png jpg jpeg gif bmp tiff] # We recommend using the .mp4 format over .mov. Videos in .mov format can # still be used but you really need to make sure they are served with the # proper MIME type video/mp4 and not video/quicktime or your videos won't play # on IE >= 9. # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html VIDEO_EXT = %w[mp4 m4v mov webm ogv] + # These extension types can contain dangerous code and should only be embedded inline with + # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline". + DANGEROUS_EXT = %w[svg] def image? extension_match?(IMAGE_EXT) @@ -20,6 +23,10 @@ module UploaderHelper image? || video? end + def dangerous? + extension_match?(DANGEROUS_EXT) + end + def extension_match?(extensions) return false unless file |