Commit e2ec97a9 authored by Jan Provaznik's avatar Jan Provaznik

Add FileUploader.root to allowed upload paths

Currently we check if uploaded file is under
`Gitlab.config.uploads.storage_path`, the problem is that
uploads are placed in `uploads` subdirectory which is symlink.

In allow_path? method we check real (expanded) paths, which causes
that `Gitlab.config.uploads.storage_path` is expaned into symlink
path and there is a mismatch with upload file path.

By adding `Gitlab.config.uploads.storage_path/uploads` into allowed
paths, this path is expaned during path check.

`Gitlab.config.uploads.storage_path` is left there intentionally in case
some uploader wouldn't use `uploads` subdir.
parent 96eb6fd3
---
title: Add /uploads subdirectory to allowed upload paths.
merge_request:
author:
type: fixed
......@@ -84,7 +84,7 @@ module Gitlab
def open_file(params, key)
::UploadedFile.from_params(
params, key,
Gitlab.config.uploads.storage_path)
[FileUploader.root, Gitlab.config.uploads.storage_path])
end
end
......
......@@ -28,7 +28,7 @@ class UploadedFile
@tempfile = File.new(path, 'rb')
end
def self.from_params(params, field, upload_path)
def self.from_params(params, field, upload_paths)
unless params["#{field}.path"]
raise InvalidPathError, "file is invalid" if params["#{field}.remote_id"]
......@@ -37,7 +37,8 @@ class UploadedFile
file_path = File.realpath(params["#{field}.path"])
unless self.allowed_path?(file_path, [upload_path, Dir.tmpdir].compact)
paths = Array.wrap(upload_paths) << Dir.tmpdir
unless self.allowed_path?(file_path, paths.compact)
raise InvalidPathError, "insecure path used '#{file_path}'"
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment