• Robert May's avatar
    Filter invalid secrets on file uploads · 96ec142d
    Robert May authored
    Validates secrets provided to FileUploader in order to prevent
    directory traversal attacks. We generate 32-byte hexadecimal secrets
    now and 10-byte hexadecimal secrets in the past, so these are the only
    two valid formats permitted.
    
    Also adds a test that proves the exploit works without the change, and
    a test that proves the change resolves the exploit.
    96ec142d
file_uploader.rb 5.32 KB