0a70e51f74
Also redirect to it for download, for Amazon S3 compatibility. Prior to this patch an attacker could obtain an users export by guessing the filename with a high chance of success. Fully authenticating the download request is a lot harder due to our diverse deployment scenarios. This brings the used method in line with the photo export feature. Thanks to @tomekr for the report.
7 lines
254 B
Ruby
7 lines
254 B
Ruby
class SecureUploader < CarrierWave::Uploader::Base
|
|
protected
|
|
def secure_token(bytes = 16)
|
|
var = :"@#{mounted_as}_secure_token"
|
|
model.instance_variable_get(var) or model.instance_variable_set(var, SecureRandom.urlsafe_base64(bytes))
|
|
end
|
|
end
|