• Jan Provaznik's avatar
    Add FileUploader.root to allowed upload paths · e2ec97a9
    Jan Provaznik authored
    Currently we check if uploaded file is under
    `Gitlab.config.uploads.storage_path`, the problem is that
    uploads are placed in `uploads` subdirectory which is symlink.
    
    In allow_path? method we check real (expanded) paths, which causes
    that `Gitlab.config.uploads.storage_path` is expaned into symlink
    path and there is a mismatch with upload file path.
    
    By adding `Gitlab.config.uploads.storage_path/uploads` into allowed
    paths, this path is expaned during path check.
    
    `Gitlab.config.uploads.storage_path` is left there intentionally in case
    some uploader wouldn't use `uploads` subdir.
    e2ec97a9
multipart.rb 3.58 KB