From 565ead610215d32fc6fe57a78f595fad51588e49 Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Wed, 7 Jun 2017 20:32:38 -0700 Subject: Bring in security changes from the 9.2.5 release Ran: - git format-patch v9.2.2..v9.2.5 --stdout > patchfile.patch - git checkout -b 9-2-5-security-patch origin/v9.2.2 - git apply patchfile.patch - git commit - [Got the sha ref for the commit] - git checkout -b upstream-9-2-security master - git cherry-pick - [Resolved conflicts] - git cherry-pick --continue --- app/uploaders/file_uploader.rb | 7 +++++++ app/uploaders/gitlab_uploader.rb | 18 ++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) (limited to 'app/uploaders') diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb index 7e94218c23d..652277e3b78 100644 --- a/app/uploaders/file_uploader.rb +++ b/app/uploaders/file_uploader.rb @@ -13,6 +13,13 @@ class FileUploader < GitlabUploader ) end + # Not using `GitlabUploader.base_dir` because all project namespaces are in + # the `public/uploads` dir. + # + def self.base_dir + root_dir + end + # Returns the part of `store_dir` that can change based on the model's current # path # diff --git a/app/uploaders/gitlab_uploader.rb b/app/uploaders/gitlab_uploader.rb index 02afddb8c6a..489613030e6 100644 --- a/app/uploaders/gitlab_uploader.rb +++ b/app/uploaders/gitlab_uploader.rb @@ -3,16 +3,26 @@ class GitlabUploader < CarrierWave::Uploader::Base File.join(CarrierWave.root, upload_record.path) end - def self.base_dir + def self.root_dir 'uploads' end - delegate :base_dir, to: :class + # When object storage is used, keep the `root_dir` as `base_dir`. + # The files aren't really in folders there, they just have a name. + # The files that contain user input in their name, also contain a hash, so + # the names are still unique + # + # This method is overridden in the `FileUploader` + def self.base_dir + return root_dir unless file_storage? + end - def file_storage? - storage.is_a?(CarrierWave::Storage::File) + def self.file_storage? + self.storage.is_a?(CarrierWave::Storage::File) end + delegate :base_dir, :file_storage?, to: :class + def file_cache_storage? cache_storage.is_a?(CarrierWave::Storage::File) end -- cgit v1.2.1