7d28e39f58
Mixing and matching the use of Rack::Request and ActionDispatch::Request in Rails 5 is bad, particularly if you have middleware that manipulates or accesses environment variables. `Gitlab::Middleware::Multipart` attempts to rewrite request parameters to the proper values (e.g. replacing `data_file` with `UploadedFile`). It does this by calling `Rack::Request#update_params`, which essentially updates `env['rack.request.form_hash']`. By changing to `ActionDispatch::Request`, the Go middleware was causing the request parameters to be stored inside `env['action_dispatch.request.request_parameters']`. Later calls to `Rack::Request#update_params` would not have any effect because it would attempt to update `env['rack.request.form_has']` instead of `env['action_dispatch.request.request_parameters']`. As a result, the controller still saw the old parameters. Since the Go middleware appears to be using `ActionDispatch::Request` for authorization methods, we can switch the multipart middleware to use it too. Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/9035 |
||
---|---|---|
.. | ||
read_only | ||
basic_health_check.rb | ||
correlation_id.rb | ||
go.rb | ||
multipart.rb | ||
rails_queue_duration.rb | ||
read_only.rb | ||
release_env.rb | ||
static.rb |