htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disallow protected upload paths for non-native files

Browse Source 
Fixes CODEOCEAN-E0
This commit is contained in:
Sebastian Serth
2022-10-06 00:11:27 +02:00
parent 61e3cfcac5
commit df384ebf0d
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/code_ocean/files_controller.rb
View File

@ -23,7 +23,7 @@ module CodeOcean
@file = CodeOcean::File.find(params[:id]) @file = CodeOcean::File.find(params[:id])
authorize! authorize!
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk. # The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.filepath != params[:filename] raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.filepath != params[:filename] || @file.native_file.blank?
real_location = Pathname(@file.native_file.current_path).realpath real_location = Pathname(@file.native_file.current_path).realpath
send_file(real_location, type: 'application/octet-stream', filename: @file.name_with_extension, disposition: 'attachment') send_file(real_location, type: 'application/octet-stream', filename: @file.name_with_extension, disposition: 'attachment')
@ -36,7 +36,7 @@ module CodeOcean
@file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request) @file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request)
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk. # The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError unless @file.filepath == params[:filename] raise Pundit::NotAuthorizedError unless @file.filepath == params[:filename] || @file.native_file.present?
real_location = Pathname(@file.native_file.current_path).realpath real_location = Pathname(@file.native_file.current_path).realpath
send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension) send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension)