Add FileUploader.root to allowed upload paths

Currently we check if uploaded file is under `Gitlab.config.uploads.storage_path`, the problem is that uploads are placed in `uploads` subdirectory which is symlink. In allow_path? method we check real (expanded) paths, which causes that `Gitlab.config.uploads.storage_path` is expaned into symlink path and there is a mismatch with upload file path. By adding `Gitlab.config.uploads.storage_path/uploads` into allowed paths, this path is expaned during path check. `Gitlab.config.uploads.storage_path` is left there intentionally in case some uploader wouldn't use `uploads` subdir.
author: Jan Provaznik <jprovaznik@gitlab.com> 2018-07-07 20:30:16 +0300
committer: Jan Provaznik <jprovaznik@gitlab.com> 2018-07-08 11:43:57 +0300
commit: e2ec97a92e6393dd0adeed39c77ff2b4eba0aed9 (patch)
tree: 972840ffe1bb8787b27d2d5b837b64d606d1b5a7 /lib/gitlab/middleware
parent: 96eb6fd33b5dfc4910d8bd93e697d6b6eb70b991 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/middleware/multipart.rb b/lib/gitlab/middleware/multipart.rb
index 9753be6d5c3..18f91db98fc 100644
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@@ -84,7 +84,7 @@ module Gitlab
         def open_file(params, key)
           ::UploadedFile.from_params(
             params, key,
-            Gitlab.config.uploads.storage_path)
+            [FileUploader.root, Gitlab.config.uploads.storage_path])
         end
       end
author	Jan Provaznik <jprovaznik@gitlab.com>	2018-07-07 20:30:16 +0300
committer	Jan Provaznik <jprovaznik@gitlab.com>	2018-07-08 11:43:57 +0300
commit	e2ec97a92e6393dd0adeed39c77ff2b4eba0aed9 (patch)
tree	972840ffe1bb8787b27d2d5b837b64d606d1b5a7 /lib/gitlab/middleware
parent	96eb6fd33b5dfc4910d8bd93e697d6b6eb70b991 (diff)