FIX: return 404 only if upload url also not internal.

2025-09-06 09:10:25 +08:00 · 2019-05-15 02:06:54 +05:30 · 2019-05-15 02:06:54 +05:30 · 42b10a646d
commit 42b10a646d
parent e0fe01925e
2 changed files with 23 additions and 7 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -2,6 +2,7 @@

 require "mini_mime"
 require_dependency 'upload_creator'
+require_dependency "file_store/local_store"

 class UploadsController < ApplicationController
  requires_login except: [:show]
@ -67,10 +68,14 @@ class UploadsController < ApplicationController
    return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])

    RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
-      return render_404 unless Discourse.store.internal?
      return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?

      if upload = Upload.find_by(sha1: params[:sha]) || Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
+        unless Discourse.store.internal?
+          local_store = FileStore::LocalStore.new
+          return render_404 unless local_store.has_been_uploaded?(upload.url)
+        end
+
        opts = {
          filename: upload.original_filename,
          content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type,