diff options
Diffstat (limited to 'lib/uploaded_file.rb')
-rw-r--r-- | lib/uploaded_file.rb | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/lib/uploaded_file.rb b/lib/uploaded_file.rb index 73029c934f4..cd5943b552e 100644 --- a/lib/uploaded_file.rb +++ b/lib/uploaded_file.rb @@ -42,6 +42,32 @@ class UploadedFile @remote_id = remote_id end + def self.from_params_without_field(params, upload_paths) + path = params['path'] + remote_id = params['remote_id'] + return if path.blank? && remote_id.blank? + + # don't use file_path if remote_id is set + if remote_id.present? + file_path = nil + elsif path.present? + file_path = File.realpath(path) + + unless self.allowed_path?(file_path, Array(upload_paths).compact) + raise InvalidPathError, "insecure path used '#{file_path}'" + end + end + + UploadedFile.new( + file_path, + filename: params['name'], + content_type: params['type'] || 'application/octet-stream', + sha256: params['sha256'], + remote_id: remote_id, + size: params['size'] + ) + end + def self.from_params(params, field, upload_paths, path_override = nil) path = path_override || params["#{field}.path"] remote_id = params["#{field}.remote_id"] @@ -52,8 +78,7 @@ class UploadedFile elsif path.present? file_path = File.realpath(path) - paths = Array(upload_paths) << Dir.tmpdir - unless self.allowed_path?(file_path, paths.compact) + unless self.allowed_path?(file_path, Array(upload_paths).compact) raise InvalidPathError, "insecure path used '#{file_path}'" end end |