Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/controllers/uploads_controller.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

274 lines
8.4 KiB
Ruby
Raw Normal View History

DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging
2019-05-02 18:17:27 -04:00
# frozen_string_literal: true
FIX: pull hotlinked images even when they have no extension
2017-06-13 07:27:05 -04:00
require "mini_mime"
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
Initial release of Discourse
2013-02-05 14:16:51 -05:00
class UploadsController < ApplicationController
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-25 17:16:02 -04:00
requires_login except: [:show, :show_short, :show_secure]
Refactor requires login logic, reduce duplicate code This also corrects the positioning in the chain of the check and removes misuse of prepend_before_action
2018-01-31 23:17:59 -05:00
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
skip_before_action :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show, :show_short, :show_secure]
FIX: Allow themes to upload and serve js files (#8188) If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error: `Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.` The reason is that content type is `application/javascript` and in Rails 5 guard looked like that: https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280 However, in Rails 6 `application` was added to regex: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284 This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2019-10-14 00:40:33 -04:00
protect_from_forgery except: :show
add UploadsController specs
2013-04-02 19:17:17 -04:00
Mark upload show paths as is_asset_path (#8365) * this is to avoid excessive rate limiting, especially for secure media on media-heavy topics
2019-11-18 00:56:20 -05:00
before_action :is_asset_path, only: [:show, :show_short, :show_secure]
UX: Allow secure media URLs to be cached for a short period of time Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 10:00:41 -04:00
SECURE_REDIRECT_GRACE_SECONDS = 5
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def create
FIX: make uploads safe for block that can run later
2017-11-23 01:28:18 -05:00
# capture current user for block later on
me = current_user
replace the upload type whitelist with a sanitizer
2017-05-18 06:13:13 -04:00
# 50 characters ought to be enough for the upload type
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
type = params.require(:type).parameterize(separator: "_")[0..50]
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 19:39:58 -04:00
FIX: Always allow admins upload selectable avatars.
2018-12-05 07:35:59 -05:00
if type == "avatar" && !me.admin? && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
return render json: failed_json, status: 422
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 04:26:45 -05:00
end
FIX: always try to convert PNG to JPG when pasting an image
2017-06-23 06:13:48 -04:00
url = params[:url]
file = params[:file] || params[:files]&.first
pasted = params[:pasted] == "true"
for_private_message = params[:for_private_message] == "true"
FEATURE: Upload Site Settings. (#6573)
2018-11-14 02:03:02 -05:00
for_site_setting = params[:for_site_setting] == "true"
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 20:43:18 -05:00
is_api = is_api?
retain_hours = params[:retain_hours].to_i
# note, atm hijack is processed in its own context and has not access to controller
# longer term we may change this
hijack do
FIX: catch all server-side error when uploading a file UX: always show a message to the user whenever an error happens on the server when uploading a file
2017-12-27 10:33:25 -05:00
begin
info = UploadsController.create_upload(
current_user: me,
file: file,
url: url,
type: type,
for_private_message: for_private_message,
FEATURE: Upload Site Settings. (#6573)
2018-11-14 02:03:02 -05:00
for_site_setting: for_site_setting,
FIX: catch all server-side error when uploading a file UX: always show a message to the user whenever an error happens on the server when uploading a file
2017-12-27 10:33:25 -05:00
pasted: pasted,
is_api: is_api,
retain_hours: retain_hours
)
rescue => e
render json: failed_json.merge(message: e.message&.split("\n")&.first), status: 422
else
render json: UploadsController.serialize_upload(info), status: Upload === info ? 200 : 422
end
FEATURE: api support for arbitrary unlinked assets admins can set retain periods for assets
2014-09-23 01:50:26 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
fix image uploads on s3/imgur
2013-06-04 18:34:53 -04:00
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-22 16:40:01 -04:00
def lookup_urls
params.permit(short_urls: [])
uploads = []
if (params[:short_urls] && params[:short_urls].length > 0)
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
PrettyText::Helpers.lookup_upload_urls(params[:short_urls]).each do |short_url, paths|
uploads << {
short_url: short_url,
url: paths[:url],
short_path: paths[:short_path]
}
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-22 16:40:01 -04:00
end
end
render json: uploads.to_json
end
proper content-disposition header when downloading attachments
2013-09-06 13:18:42 -04:00
def show
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 10:02:55 -04:00
# do not serve uploads requested via XHR to prevent XSS
DEV: Respond with error 400 to uploads requested via XHR follow-up to 13f38055
2019-06-27 05:13:44 -04:00
return xhr_not_allowed if request.xhr?
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 10:02:55 -04:00
BUGFIX: 500 error on some invalid uploads
2014-05-13 20:51:09 -04:00
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
BUGFIX: attachments bust under multisite
2014-03-24 19:37:31 -04:00
RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
FEATURE: new 'prevent anons from download files' site setting
2014-09-09 12:40:11 -04:00
return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
proper content-disposition header when downloading attachments
2013-09-06 13:18:42 -04:00
fix the build
2015-05-20 09:32:31 -04:00
if upload = Upload.find_by(sha1: params[:sha]) || Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
FIX: return 404 only if upload url also not internal.
2019-05-14 16:36:54 -04:00
unless Discourse.store.internal?
local_store = FileStore::LocalStore.new
return render_404 unless local_store.has_been_uploaded?(upload.url)
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
send_file_local_upload(upload)
else
render_404
end
end
end
FIX: Better error handling if a file cannot be sent If for some reason `Discourse.store.path_for` returns `nil`, the forum would throw an error rather than returning 404. Why would it be `nil`? One cause could be changing the type of file store and having the `url` field no longer be relative.
2019-01-29 16:47:25 -05:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
def show_short
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 10:02:55 -04:00
# do not serve uploads requested via XHR to prevent XSS
DEV: Respond with error 400 to uploads requested via XHR follow-up to 13f38055
2019-06-27 05:13:44 -04:00
return xhr_not_allowed if request.xhr?
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 10:02:55 -04:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
return render_404
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD. (#7603)
2019-05-28 11:18:21 -04:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
sha1 = Upload.sha1_from_base62_encoded(params[:base62])
if upload = Upload.find_by(sha1: sha1)
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-15 21:54:14 -04:00
if upload.secure? && SiteSetting.secure_media?
return handle_secure_upload_request(upload)
end
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
if Discourse.store.internal?
send_file_local_upload(upload)
FEATURE: support email attachments
2014-04-14 16:55:57 -04:00
else
FIX: Respect force download when downloading secure media via lightbox (#10769) The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download. This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
2020-09-28 22:12:03 -04:00
redirect_to Discourse.store.url_for(upload, force_download: force_download?)
FEATURE: support email attachments
2014-04-14 16:55:57 -04:00
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
else
render_404
BUGFIX: attachments bust under multisite
2014-03-24 19:37:31 -04:00
end
proper content-disposition header when downloading attachments
2013-09-06 13:18:42 -04:00
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
def show_secure
# do not serve uploads requested via XHR to prevent XSS
return xhr_not_allowed if request.xhr?
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-06 21:27:24 -05:00
return render_404 if !Discourse.store.external?
path_with_ext = "#{params[:path]}.#{params[:extension]}"
sha1 = File.basename(path_with_ext, File.extname(path_with_ext))
# this takes care of optimized image requests
sha1 = sha1.partition("_").first if sha1.include?("_")
upload = Upload.find_by(sha1: sha1)
return render_404 if upload.blank?
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-25 17:16:02 -04:00
return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
return handle_secure_upload_request(upload, path_with_ext) if SiteSetting.secure_media?
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-06 21:27:24 -05:00
# we don't want to 404 here if secure media gets disabled
# because all posts with secure uploads will show broken media
# until rebaked, which could take some time
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-06 23:02:17 -05:00
#
# if the upload is still secure, that means the ACL is probably still
# private, so we don't want to go to the CDN url just yet otherwise we
# will get a 403. if the upload is not secure we assume the ACL is public
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-15 21:54:14 -04:00
signed_secure_url = Discourse.store.signed_url_for_path(path_with_ext)
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-06 23:02:17 -05:00
redirect_to upload.secure? ? signed_secure_url : Discourse.store.cdn_url(upload.url)
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
end
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-15 21:54:14 -04:00
def handle_secure_upload_request(upload, path_with_ext = nil)
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
if upload.access_control_post_id.present?
raise Discourse::InvalidAccess if !guardian.can_see?(upload.access_control_post)
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-25 17:16:02 -04:00
else
return render_404 if current_user.nil?
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
end
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160) * Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time. * This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-02 23:42:36 -04:00
# defaults to public: false, so only cached by the client browser
UX: Allow secure media URLs to be cached for a short period of time Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 10:00:41 -04:00
cache_seconds = S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS - SECURE_REDIRECT_GRACE_SECONDS
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160) * Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time. * This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-02 23:42:36 -04:00
expires_in cache_seconds.seconds
UX: Allow secure media URLs to be cached for a short period of time Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 10:00:41 -04:00
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-15 21:54:14 -04:00
# url_for figures out the full URL, handling multisite DBs,
# and will return a presigned URL for the upload
if path_with_ext.blank?
FIX: Respect force download when downloading secure media via lightbox (#10769) The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download. This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
2020-09-28 22:12:03 -04:00
return redirect_to Discourse.store.url_for(upload, force_download: force_download?)
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-15 21:54:14 -04:00
end
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160) * Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time. * This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-02 23:42:36 -04:00
redirect_to Discourse.store.signed_url_for_path(
FIX: Respect force download when downloading secure media via lightbox (#10769) The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download. This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
2020-09-28 22:12:03 -04:00
path_with_ext,
expires_in: S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS,
force_download: force_download?
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160) * Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time. * This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-02 23:42:36 -04:00
)
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
end
UX: Lightbox support for image uploader. (#7034)
2019-02-20 21:13:37 -05:00
def metadata
params.require(:url)
upload = Upload.get_from_url(params[:url])
raise Discourse::NotFound unless upload
render json: {
original_filename: upload.original_filename,
width: upload.width,
height: upload.height,
human_filesize: upload.human_filesize
}
end
BUGFIX: 500 error on some invalid uploads
2014-05-13 20:51:09 -04:00
protected
FIX: Respect force download when downloading secure media via lightbox (#10769) The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download. This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
2020-09-28 22:12:03 -04:00
def force_download?
params[:dl] == "1"
end
DEV: Respond with error 400 to uploads requested via XHR follow-up to 13f38055
2019-06-27 05:13:44 -04:00
def xhr_not_allowed
raise Discourse::InvalidParameters.new("XHR not allowed")
end
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 20:43:18 -05:00
def render_404
raise Discourse::NotFound
end
def self.serialize_upload(data)
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-22 16:40:01 -04:00
# as_json.as_json is not a typo... as_json in AM serializer returns keys as symbols, we need them
# as strings here
serialized = UploadSerializer.new(data, root: nil).as_json.as_json if Upload === data
serialized ||= (data || {}).as_json
end
FEATURE: Upload Site Settings. (#6573)
2018-11-14 02:03:02 -05:00
def self.create_upload(current_user:,
file:,
url:,
type:,
for_private_message:,
for_site_setting:,
pasted:,
is_api:,
retain_hours:)
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
if file.nil?
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 20:43:18 -05:00
if url.present? && is_api
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes
Refactor `FileHelper` to use keyword arguments.
2017-05-24 13:42:52 -04:00
tempfile = FileHelper.download(
url,
FIX: ensure we can download maxmind without redis or db config This also corrects FileHelper.download so it supports "follow_redirect" correctly (it used to always follow 1 redirect) and adds a `validate_url` param that will bypass all uri validation if set to false (default is true)
2019-05-27 20:28:57 -04:00
follow_redirect: true,
Refactor `FileHelper` to use keyword arguments.
2017-05-24 13:42:52 -04:00
max_file_size: maximum_upload_size,
tmp_file_name: "discourse-upload-#{type}"
) rescue nil
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
filename = File.basename(URI.parse(url).path)
FEATURE: automatically downsize large images
2015-08-12 12:33:13 -04:00
end
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
else
tempfile = file.tempfile
filename = file.original_filename
end
FEATURE: automatically downsize large images
2015-08-12 12:33:13 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?
FEATURE: allow API to upload files synchronously
2015-06-15 10:12:15 -04:00
FIX: always try to convert PNG to JPG when pasting an image
2017-06-23 06:13:48 -04:00
opts = {
type: type,
for_private_message: for_private_message,
FEATURE: Upload Site Settings. (#6573)
2018-11-14 02:03:02 -05:00
for_site_setting: for_site_setting,
FIX: always try to convert PNG to JPG when pasting an image
2017-06-23 06:13:48 -04:00
pasted: pasted,
}
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 16:41:29 -04:00
upload = UploadCreator.new(tempfile, filename, opts).create_for(current_user.id)
FEATURE: allow API to upload files synchronously
2015-06-15 10:12:15 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
if upload.errors.empty? && current_user.admin?
upload.update_columns(retain_hours: retain_hours) if retain_hours > 0
FEATURE: allow API to upload files synchronously
2015-06-15 10:12:15 -04:00
end
DEV: Add support for Rails 6 Minor fixes to add Rails 6 support to Discourse, we now will boot with RAILS_MASTER=1, all specs pass Only one tiny deprecation left Largest change was the way ActiveModel:Errors changed interface a bit but there is a simple backwards compat way of working it
2019-04-30 02:58:18 -04:00
upload.errors.empty? ? upload : { errors: upload.errors.to_hash.values.flatten }
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-10 18:16:57 -04:00
ensure
Remove use of `rescue nil`. * `rescue nil` is a really bad pattern to use in our code base. We should rescue errors that we expect the code to throw and not rescue everything because we're unsure of what errors the code would throw. This would reduce the amount of pain we face when debugging why something isn't working as expexted. I've been bitten countless of times by errors being swallowed as a result during debugging sessions.
2018-03-28 04:20:08 -04:00
tempfile&.close!
fix and improve image downsizing algorithm
2016-06-20 06:35:07 -04:00
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
private
def send_file_local_upload(upload)
opts = {
filename: upload.original_filename,
content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type
}
SECURITY: Add content-disposition: attachment for SVG uploads * strip out the href and xlink:href attributes from use element that are _not_ anchors in svgs which can be used for XSS * adding the content-disposition: attachment ensures that uploaded SVGs cannot be opened and executed using the XSS exploit. svgs embedded using an img tag do not suffer from the same exploit
2020-07-08 23:31:48 -04:00
if !FileHelper.is_inline_image?(upload.original_filename)
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
opts[:disposition] = "attachment"
SECURITY: Ensure only image uploads can be inlined This prevents malicious files (for example special crafted XMLs) to be used in XSS attacks.
2019-12-11 08:21:41 -05:00
elsif params[:inline]
opts[:disposition] = "inline"
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
end
file_path = Discourse.store.path_for(upload)
return render_404 unless file_path
send_file(file_path, opts)
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end