dragonfly icon indicating copy to clipboard operation
dragonfly copied to clipboard

Published 20 hours ago verified publisher icon markevans

Default content auto-whitelist doesn't work with FileDataStore

Open nashbridges opened this issue 7 years ago • 0 comments

Steps to reproduce:

  1. git clone https://github.com/ua-books/ua-books.git
  2. cd ua-books
  3. bin/rails s
  4. curl -I http://localhost:3000/media/W1siZmYiLCJwdWJsaWMvc3lzdGVtL2RyYWdvbmZseS9ub19pbWFnZS5wbmciXV0/no_image.png?sha=d353989ba3e2457f

Response is HTTP/1.1 200 OK

Now, remove workaround and make sure Book model is loaded in dev mode immediately:

diff --git a/config/initializers/dragonfly.rb b/config/initializers/dragonfly.rb
index b23890b..a8595ec 100644
--- a/config/initializers/dragonfly.rb
+++ b/config/initializers/dragonfly.rb
@@ -8,19 +8,6 @@ Dragonfly.app.configure do

   url_format "/media/:job/:name"

-  # WORKAROUND
-  #
-  # Dragonfly's `default` was designed to auto-whitelist assets to be fetched:
-  # https://github.com/markevans/dragonfly/blob/b8af810e647fc21e43ccc42b69beb6c9baa40abe/lib/dragonfly/model/attachment_class_methods.rb#L32-L34
-  # https://github.com/markevans/dragonfly/blob/b8af810e647fc21e43ccc42b69beb6c9baa40abe/lib/dragonfly/model/attachment_class_methods.rb#L67-L70
-  #
-  # However, during a check:
-  # https://github.com/markevans/dragonfly/blob/b8bd236f7af3f192df702cd93cb7f4fa9ec58906/lib/dragonfly/server.rb#L130-L134
-  # `step.path` contains absolute path, that makes the check to fail.
-  fetch_file_whitelist [
-    Rails.root.join("public/system/dragonfly/no_image.png").to_s,
-  ]
-
   datastore :file,
     root_path: Rails.root.join('public/system/dragonfly', Rails.env),
     server_root: Rails.root.join('public')
@@ -37,3 +24,5 @@ if defined?(ActiveRecord::Base)
   ActiveRecord::Base.extend Dragonfly::Model
   ActiveRecord::Base.extend Dragonfly::Model::Validations
 end
+
+Book

Run the step 4 again, and now response is 403

Started GET "/media/W1siZmYiLCJwdWJsaWMvc3lzdGVtL2RyYWdvbmZseS9ub19pbWFnZS5wbmciXV0/no_image.png?sha=d353989ba3e2457f" for 127.0.0.1 at 2018-02-18 20:35:24 +0200 DRAGONFLY: fetch file /Users/nash/projects/ua-books/public/system/dragonfly/no_image.png disallowed - use fetch_file_whitelist to allow it

nashbridges avatar Feb 18 '18 18:02 nashbridges