1. 23 Mar, 2020 3 commits
    • Alessio Caiazza's avatar
      Release v8.28.0 · 3fbf8ef2
      Alessio Caiazza authored
      3fbf8ef2
    • Markus Koller's avatar
      Reject parameters that override upload fields · 7c324521
      Markus Koller authored
      When Workhorse intercepts file uploads, we store the files and send the
      information about the temporary file in new multipart form values called
      `file.path`, `file.size` etc.
      
      Since we're also copying all other multipart form values from the
      original client request, it was possible to override the values we
      set in Workhorse, causing Rails to e.g. load the uploaded file from
      an injected `file.path` parameter.
      
      To avoid this, we check if client parameters have the same name as any
      of our own added fields and reject the request.
      7c324521
    • Markus Koller's avatar
      Always set internally used upload fields · 75a39b0b
      Markus Koller authored
      The `path` and `remote_*` fields are not always set in Workhorse
      depending on the storage type, but still picked up in Rails.
      
      To avoid injecting any client params with the same name, we just set
      these fields to empty strings.
      75a39b0b
  2. 20 Mar, 2020 4 commits
  3. 19 Mar, 2020 1 commit
  4. 17 Mar, 2020 3 commits
  5. 16 Mar, 2020 3 commits
  6. 10 Mar, 2020 2 commits
  7. 03 Mar, 2020 2 commits
  8. 02 Mar, 2020 1 commit
  9. 28 Feb, 2020 2 commits
  10. 27 Feb, 2020 5 commits
  11. 26 Feb, 2020 1 commit
  12. 24 Feb, 2020 3 commits
  13. 22 Feb, 2020 1 commit
  14. 21 Feb, 2020 2 commits
  15. 20 Feb, 2020 2 commits
  16. 17 Feb, 2020 3 commits
  17. 14 Feb, 2020 1 commit
  18. 13 Feb, 2020 1 commit