Fix base64-encoded file uploads not being possible (#12748)

Fix #3804, Fix #5776
2020-01-04 01:54:07 +01:00 · 2020-01-04 01:54:07 +01:00 · 49b2f7c0a2
commit 49b2f7c0a2
parent 500276c99b
14 changed files with 80 additions and 62 deletions
--- a/app/controllers/admin/custom_emojis_controller.rb
+++ b/app/controllers/admin/custom_emojis_controller.rb
@ -2,10 +2,6 @@

 module Admin
  class CustomEmojisController < BaseController
-    include ObfuscateFilename
-
-    obfuscate_filename [:custom_emoji, :image]
-
    def index
      authorize :custom_emoji, :index?

--- a/app/controllers/api/v1/media_controller.rb
+++ b/app/controllers/api/v1/media_controller.rb
@ -4,9 +4,6 @@ class Api::V1::MediaController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:media' }
  before_action :require_user!

-  include ObfuscateFilename
-  obfuscate_filename :file
-
  respond_to :json

  def create
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -24,6 +24,7 @@ class ApplicationController < ActionController::Base
  rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_entity
  rescue_from ActionController::UnknownFormat, with: :not_acceptable
  rescue_from ActionController::ParameterMissing, with: :bad_request
+  rescue_from Paperclip::AdapterRegistry::NoHandlerError, with: :bad_request
  rescue_from ActiveRecord::RecordNotFound, with: :not_found
  rescue_from Mastodon::NotPermittedError, with: :forbidden
  rescue_from HTTP::Error, OpenSSL::SSL::SSLError, with: :internal_server_error
--- a/app/controllers/concerns/obfuscate_filename.rb
+++ b/app/controllers/concerns/obfuscate_filename.rb
@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-module ObfuscateFilename
-  extend ActiveSupport::Concern
-
-  class_methods do
-    def obfuscate_filename(path)
-      before_action do
-        file = params.dig(*path)
-        next if file.nil?
-
-        file.original_filename = SecureRandom.hex(8) + File.extname(file.original_filename)
-      end
-    end
-  end
-end
--- a/app/controllers/settings/profiles_controller.rb
+++ b/app/controllers/settings/profiles_controller.rb
@ -1,16 +1,11 @@
 # frozen_string_literal: true

 class Settings::ProfilesController < Settings::BaseController
-  include ObfuscateFilename
-
  layout 'admin'

  before_action :authenticate_user!
  before_action :set_account

-  obfuscate_filename [:account, :avatar]
-  obfuscate_filename [:account, :header]
-
  def show
    @account.build_fields
  end
--- a/app/models/concerns/attachmentable.rb
+++ b/app/models/concerns/attachmentable.rb
@ -9,6 +9,7 @@ module Attachmentable
  GIF_MATRIX_LIMIT = 921_600    # 1280x720px

  included do
+    before_post_process :obfuscate_file_name
    before_post_process :set_file_extensions
    before_post_process :check_image_dimensions
    before_post_process :set_file_content_type
@ -68,4 +69,14 @@ module Attachmentable
  rescue Terrapin::CommandLineError
    ''
  end
+
+  def obfuscate_file_name
+    self.class.attachment_definitions.each_key do |attachment_name|
+      attachment = send(attachment_name)
+
+      next if attachment.blank?
+
+      attachment.instance_write :file_name, SecureRandom.hex(8) + File.extname(attachment.instance_read(:file_name))
+    end
+  end
 end
--- a/app/models/media_attachment.rb
+++ b/app/models/media_attachment.rb
@ -202,9 +202,12 @@ class MediaAttachment < ApplicationRecord
  end

  after_commit :reset_parent_cache, on: :update
+
  before_create :prepare_description, unless: :local?
  before_create :set_shortcode
+
  before_post_process :set_type_and_extension
+
  before_save :set_meta

  class << self