Commit 4ca9f3b4 authored by Jan Provaznik's avatar Jan Provaznik

Add public/uploads/tmp to allowed upload paths

When direct_upload is enabled and a for file is being uploaded,
then workhorse uses `public/uploads/tmp` path. If `uploads.storage_path`
i sset to a different directory, then upload fails because
`public/uploads/tmp` is not in allowed paths.
parent d2590b15
---
title: Accept upload files in public/uplaods/tmp when using accelerated uploads.
merge_request:
author:
type: fixed
......@@ -82,9 +82,13 @@ module Gitlab
end
def open_file(params, key)
::UploadedFile.from_params(
params, key,
[FileUploader.root, Gitlab.config.uploads.storage_path])
allowed_paths = [
FileUploader.root,
Gitlab.config.uploads.storage_path,
File.join(Rails.root, 'public/uploads/tmp')
]
::UploadedFile.from_params(params, key, allowed_paths)
end
end
......
......@@ -75,6 +75,26 @@ describe Gitlab::Middleware::Multipart do
it_behaves_like 'multipart upload files'
end
it 'allows files in uploads/tmp directory' do
Dir.mktmpdir do |dir|
uploads_dir = File.join(dir, 'public/uploads/tmp')
FileUtils.mkdir_p(uploads_dir)
allow(Rails).to receive(:root).and_return(dir)
allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir'))
Tempfile.open('top-level', uploads_dir) do |tempfile|
env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse')
expect(app).to receive(:call) do |env|
expect(Rack::Request.new(env).params['file']).to be_a(::UploadedFile)
end
middleware.call(env)
end
end
end
it 'allows symlinks for uploads dir' do
Tempfile.open('two-levels') do |tempfile|
symlinked_dir = '/some/dir/uploads'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment