Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
6b2ebea7
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
6b2ebea7
编写于
7月 09, 2018
作者:
J
Jan Provaznik
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Added test and used Array() instead of .wrap
上级
e2ec97a9
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
28 addition
and
1 deletion
+28
-1
lib/uploaded_file.rb
lib/uploaded_file.rb
+1
-1
spec/lib/gitlab/middleware/multipart_spec.rb
spec/lib/gitlab/middleware/multipart_spec.rb
+27
-0
未找到文件。
lib/uploaded_file.rb
浏览文件 @
6b2ebea7
...
...
@@ -37,7 +37,7 @@ class UploadedFile
file_path
=
File
.
realpath
(
params
[
"
#{
field
}
.path"
])
paths
=
Array
.
wrap
(
upload_paths
)
<<
Dir
.
tmpdir
paths
=
Array
(
upload_paths
)
<<
Dir
.
tmpdir
unless
self
.
allowed_path?
(
file_path
,
paths
.
compact
)
raise
InvalidPathError
,
"insecure path used '
#{
file_path
}
'"
end
...
...
spec/lib/gitlab/middleware/multipart_spec.rb
浏览文件 @
6b2ebea7
...
...
@@ -75,6 +75,33 @@ describe Gitlab::Middleware::Multipart do
it_behaves_like
'multipart upload files'
end
it
'allows symlinks for uploads dir'
do
Tempfile
.
open
(
'two-levels'
)
do
|
tempfile
|
symlinked_dir
=
'/some/dir/uploads'
symlinked_path
=
File
.
join
(
symlinked_dir
,
File
.
basename
(
tempfile
.
path
))
env
=
post_env
({
'file'
=>
symlinked_path
},
{
'file.name'
=>
original_filename
,
'file.path'
=>
symlinked_path
},
Gitlab
::
Workhorse
.
secret
,
'gitlab-workhorse'
)
allow
(
FileUploader
).
to
receive
(
:root
).
and_return
(
symlinked_dir
)
allow
(
UploadedFile
).
to
receive
(
:allowed_paths
).
and_return
([
symlinked_dir
,
Gitlab
.
config
.
uploads
.
storage_path
])
allow
(
File
).
to
receive
(
:realpath
).
and_call_original
allow
(
File
).
to
receive
(
:realpath
).
with
(
symlinked_dir
).
and_return
(
Dir
.
tmpdir
)
allow
(
File
).
to
receive
(
:realpath
).
with
(
symlinked_path
).
and_return
(
tempfile
.
path
)
allow
(
File
).
to
receive
(
:exist?
).
and_call_original
allow
(
File
).
to
receive
(
:exist?
).
with
(
symlinked_dir
).
and_return
(
true
)
# override Dir.tmpdir because this dir is in the list of allowed paths
# and it would match FileUploader.root path (which in this test is linked
# to /tmp too)
allow
(
Dir
).
to
receive
(
:tmpdir
).
and_return
(
File
.
join
(
Dir
.
tmpdir
,
'tmpsubdir'
))
expect
(
app
).
to
receive
(
:call
)
do
|
env
|
expect
(
Rack
::
Request
.
new
(
env
).
params
[
'file'
]).
to
be_a
(
::
UploadedFile
)
end
middleware
.
call
(
env
)
end
end
def
post_env
(
rewritten_fields
,
params
,
secret
,
issuer
)
token
=
JWT
.
encode
({
'iss'
=>
issuer
,
'rewritten_fields'
=>
rewritten_fields
},
secret
,
'HS256'
)
Rack
::
MockRequest
.
env_for
(
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录