Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-08 06:15:59 +01:00
Code Issues Packages Projects Releases Activity

Fixes attachments functionality for (custom) plugins broken since fix for CVE-2022-44030 by adding a dynamic routing constraint which can be modified by plugins (#39862).

Browse Source 
Patch by @jkraemer.

git-svn-id: https://svn.redmine.org/redmine/trunk@22551 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu
2023-12-22 02:08:53 +00:00
parent cb10b529cb
commit c17b42509b
4 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/routes.rb
View File

@@ -317,7 +317,9 @@ Rails.application.routes.draw do
get 'attachments/download/:id', :to => 'attachments#download', :id => /\d+/ get 'attachments/download/:id', :to => 'attachments#download', :id => /\d+/
get 'attachments/thumbnail/:id(/:size)', :to => 'attachments#thumbnail', :id => /\d+/, :size => /\d+/, :as => 'thumbnail' get 'attachments/thumbnail/:id(/:size)', :to => 'attachments#thumbnail', :id => /\d+/, :size => /\d+/, :as => 'thumbnail'
resources :attachments, :only => [:show, :update, :destroy] resources :attachments, :only => [:show, :update, :destroy]
constraints object_type: /(issues|versions|news|messages|wiki_pages|projects|documents|journals)/ do
# register plugin object types with ObjectTypeConstraint.register_object_type(PluginModel.name.underscore.pluralize')
constraints Redmine::Acts::Attachable::ObjectTypeConstraint do
get 'attachments/:object_type/:object_id/edit', :to => 'attachments#edit_all', :as => :object_attachments_edit get 'attachments/:object_type/:object_id/edit', :to => 'attachments#edit_all', :as => :object_attachments_edit
patch 'attachments/:object_type/:object_id', :to => 'attachments#update_all', :as => :object_attachments patch 'attachments/:object_type/:object_id', :to => 'attachments#update_all', :as => :object_attachments
get 'attachments/:object_type/:object_id/download', :to => 'attachments#download_all', :as => :object_attachments_download get 'attachments/:object_type/:object_id/download', :to => 'attachments#download_all', :as => :object_attachments_download

24
lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
View File

@@ -20,6 +20,30 @@
module Redmine module Redmine
module Acts module Acts
module Attachable module Attachable
class ObjectTypeConstraint
cattr_accessor :object_types
self.object_types = Concurrent::Set.new(%w[
issues versions news messages wiki_pages projects documents journals
])
class << self
def matches?(request)
request.path_parameters[:object_type] =~ param_expression
end
def register_object_type(type)
object_types << type
@param_expression = nil
end
def param_expression
@param_expression ||= Regexp.new("^(#{object_types.join("|")})$")
end
end
end
def self.included(base) def self.included(base)
base.extend ClassMethods base.extend ClassMethods
end end

2
test/fixtures/plugins/redmine_test_plugin_foo/init.rb vendored
View File

@@ -5,6 +5,8 @@ Redmine::Plugin.register :redmine_test_plugin_foo do
version '0.0.1' version '0.0.1'
end end
Redmine::Acts::Attachable::ObjectTypeConstraint.register_object_type('plugin_articles')
Pathname(__dir__).glob("app/**/*.rb").sort.each do |path| Pathname(__dir__).glob("app/**/*.rb").sort.each do |path|
require path require path
end end

5
test/integration/routing/plugins_test.rb
View File

@@ -43,5 +43,10 @@ class RoutingPluginsTest < Redmine::RoutingTest
should_route 'GET /plugin_articles' => 'plugin_articles#index' should_route 'GET /plugin_articles' => 'plugin_articles#index'
should_route 'GET /bar_plugin_articles' => 'bar_plugin_articles#index' should_route 'GET /bar_plugin_articles' => 'bar_plugin_articles#index'
assert_equal("/bar_plugin_articles", plugin_articles_path) assert_equal("/bar_plugin_articles", plugin_articles_path)
should_route(
'GET /attachments/plugin_articles/12/edit' => 'attachments#edit_all',
object_id: '12',
object_type: 'plugin_articles'
)
end end
end end