FIX: Extension-less secure uploads (#29914)

Previously, the secure-upload redirection logic would fail for extension-less files. This commit updates it to work, and adds a spec for the behavior. Extension-less file uploads are not allowed by default, so this is a very niche situation.
2025-05-24 00:01:13 +08:00 · 2024-11-25 12:18:21 +00:00
parent dfa591aeae
commit bfe0eccdd9
2 changed files with 12 additions and 1 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -160,7 +160,8 @@ class UploadsController < ApplicationController
    # do not serve uploads requested via XHR to prevent XSS
    return xhr_not_allowed if request.xhr?

-    path_with_ext = "#{params[:path]}.#{params[:extension]}"
+    path_with_ext =
+      params[:extension].nil? ? params[:path] : "#{params[:path]}.#{params[:extension]}"
    upload = upload_from_path_and_extension(path_with_ext)

    return render_404 if upload.blank?