diff options
| author | Douwe Maan <douwe@gitlab.com> | 2015-02-20 13:13:48 +0100 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2015-02-20 13:13:48 +0100 |
| commit | 00ca490259de684f4240de4f61728b8eaefbb13e (patch) | |
| tree | 1b27729d864898dc8c87473359ad642b7432ce3b | |
| parent | 4310431ee73fdd6aa3874aaccc0a901252e7f61f (diff) | |
| download | gitlab-ce-00ca490259de684f4240de4f61728b8eaefbb13e.tar.gz | |
Use controllers to serve uploads, with XSS prevention and access control.
| -rw-r--r-- | app/controllers/projects/uploads_controller.rb | 19 | ||||
| -rw-r--r-- | app/controllers/uploads_controller.rb | 17 | ||||
| -rw-r--r-- | config/routes.rb | 12 |
3 files changed, 48 insertions, 0 deletions
diff --git a/app/controllers/projects/uploads_controller.rb b/app/controllers/projects/uploads_controller.rb new file mode 100644 index 00000000000..b922b56418a --- /dev/null +++ b/app/controllers/projects/uploads_controller.rb @@ -0,0 +1,19 @@ +class Projects::UploadsController < Projects::ApplicationController + layout "project" + + before_filter :project + + def show + path = File.join(project.path_with_namespace, params[:secret]) + uploader = FileUploader.new('uploads', path) + + uploader.retrieve_from_store!(params[:filename]) + + if uploader.file.exists? + # Right now, these are always images, so we can safely render them inline. + send_file uploader.file.path, disposition: 'inline' + else + not_found! + end + end +end
\ No newline at end of file diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb new file mode 100644 index 00000000000..d5877977258 --- /dev/null +++ b/app/controllers/uploads_controller.rb @@ -0,0 +1,17 @@ +class UploadsController < ApplicationController + def show + model = params[:model].camelize.constantize.find(params[:id]) + uploader = model.send(params[:mounted_as]) + + if uploader.file_storage? + if !model.respond_to?(:project) || can?(current_user, :read_project, model.project) + disposition = uploader.image? ? 'inline' : 'attachment' + send_file uploader.file.path, disposition: disposition + else + not_found! + end + else + redirect_to uploader.url + end + end +end diff --git a/config/routes.rb b/config/routes.rb index 65786d83566..0e7f7d893d4 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -69,7 +69,19 @@ Gitlab::Application.routes.draw do end end + # + # Uploads + # + scope path: :uploads do + # Note attachments and User/Group/Project avatars + get ":model/:mounted_as/:id/:filename", to: "uploads#show", + constraints: { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /.+/ } + + # Project markdown uploads + get ":id/:secret/:filename", to: "projects/uploads#show", + constraints: { id: /[a-zA-Z.0-9_\-]+\/[a-zA-Z.0-9_\-]+/, filename: /.+/ } + end # # Explore area |