Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: allow for subdirectorys for cdn assets

This commit is contained in:
Sam 2014-07-10 17:29:38 +10:00
parent 6019e3f257
commit 27f85e5451
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/static_controller.rb
View File

@ -60,8 +60,13 @@ class StaticController < ApplicationController
skip_before_filter :verify_authenticity_token, only: [:cdn_asset] skip_before_filter :verify_authenticity_token, only: [:cdn_asset]
def cdn_asset def cdn_asset
path = params[:path].gsub(/[^a-zA-Z0-9_\-\.]/, "") path = File.expand_path(Rails.root + "public/assets/" + params[:path])
path = (Rails.root + "public/assets/" + path).to_s
# SECURITY what if path has /../
unless path.start_with?(Rails.root.to_s + "/public/assets")
raise Discourse::NotFound
end
expires_in 1.year, public: true expires_in 1.year, public: true
response.headers["Access-Control-Allow-Origin"] = params[:origin] response.headers["Access-Control-Allow-Origin"] = params[:origin]
begin begin