paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 05:23:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

puppet: Remove legacy unauthenticated local uploads backend.

Browse Source 
This was only used in Ubuntu 14.04 Trusty.

Removing this also finally lets us simplify our security model
discussion of uploaded files.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
2019-06-25 23:28:16 -07:00
committed by Tim Abbott
parent 6112d020f4
commit 33c941407b
3 changed files with 3 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
View File

@@ -1,12 +0,0 @@
# This Django route not under /api is shared between mobile and web
# and thus needs API headers added, in addition to the configuration
# required to have it serve files directly.
location /user_uploads {
include /etc/nginx/zulip-include/api_headers;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
include /etc/nginx/zulip-include/uploads.types;
alias /home/zulip/uploads/files;
}

13
puppet/zulip/manifests/nginx.pp
View File

@@ -36,18 +36,7 @@ class zulip::nginx {
# If we're not serving uploads locally, set the appropriate API headers for it.
$uploads_route = 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.noserve'
} else {
# Nginx versions 1.4.6 and older do not support quoted URLs with the
# X-Accel-Redirect / "sendfile" feature, which are required for
# unicode support in filenames. As a result, we use the fancier
# django-sendfile behavior only when a sufficiently current version
# of nginx is present (e.g.. Xenial). Older versions (e.g. Trusty)
# retain the older, less secure, file upload behavior; we expect
# that this will stop being relevant when we drop Trusty support
# from Zulip altogether, no later than when Trusty reaches EOL in 2019.
$uploads_route = $zulip::base::release_name ? {
'trusty' => 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.direct',
default => 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.internal',
}
$uploads_route = 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.internal'
}
file { '/etc/nginx/zulip-include/uploads.route':