7d28e39f58
Mixing and matching the use of Rack::Request and ActionDispatch::Request in Rails 5 is bad, particularly if you have middleware that manipulates or accesses environment variables. `Gitlab::Middleware::Multipart` attempts to rewrite request parameters to the proper values (e.g. replacing `data_file` with `UploadedFile`). It does this by calling `Rack::Request#update_params`, which essentially updates `env['rack.request.form_hash']`. By changing to `ActionDispatch::Request`, the Go middleware was causing the request parameters to be stored inside `env['action_dispatch.request.request_parameters']`. Later calls to `Rack::Request#update_params` would not have any effect because it would attempt to update `env['rack.request.form_has']` instead of `env['action_dispatch.request.request_parameters']`. As a result, the controller still saw the old parameters. Since the Go middleware appears to be using `ActionDispatch::Request` for authorization methods, we can switch the multipart middleware to use it too. Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/9035 |
||
|---|---|---|
| .. | ||
| basic_health_check_spec.rb | ||
| go_spec.rb | ||
| multipart_spec.rb | ||
| rails_queue_duration_spec.rb | ||
| read_only_spec.rb | ||
| release_env_spec.rb | ||