diff options
| author | Mark Longair <mhl@pobox.com> | 2013-05-24 18:50:16 +0100 |
|---|---|---|
| committer | Mark Longair <mhl@pobox.com> | 2013-05-24 18:50:16 +0100 |
| commit | 501b2b8672d294268b2eb112092e70ffc2728539 (patch) | |
| tree | 43c973891c776f5736b60c48bbccabec9b04f509 /app/controllers/request_controller.rb | |
| parent | 390fcdb70b5474a4a66598e2c6bb123a6337bd53 (diff) | |
Check that display_filename matches URL part number or fallback
If the display_filename of the attachment found from the
URL part number doesn't match the passed in display_filename
then the email may have been reparsed, causing a reordering.
In that case, look to see if there is another attachment that
uniquely matches that filename, and, if so, return that other
attachment. If no matching uniquely matching filename is
found, redirect to the incoming message, rather than
returning a 404.
Diffstat (limited to 'app/controllers/request_controller.rb')
| -rw-r--r-- | app/controllers/request_controller.rb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 5b64fe9ae..96f62319e 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -736,6 +736,7 @@ class RequestController < ApplicationController def get_attachment get_attachment_internal(false) + return unless @attachment # Prevent spam to magic request address. Note that the binary # subsitution method used depends on the content type @@ -755,6 +756,7 @@ class RequestController < ApplicationController raise ActiveRecord::RecordNotFound.new("Attachment HTML not found.") end get_attachment_internal(true) + return unless @attachment # images made during conversion (e.g. images in PDF files) are put in the cache directory, so # the same cache code in cache_attachments above will display them. @@ -801,8 +803,11 @@ class RequestController < ApplicationController # check permissions raise "internal error, pre-auth filter should have caught this" if !@info_request.user_can_view?(authenticated_user) - @attachment = IncomingMessage.get_attachment_by_url_part_number(@incoming_message.get_attachments_for_display, @part_number) - raise ActiveRecord::RecordNotFound.new("attachment not found part number " + @part_number.to_s + " incoming_message " + @incoming_message.id.to_s) if @attachment.nil? + @attachment = IncomingMessage.get_attachment_by_url_part_number_and_filename(@incoming_message.get_attachments_for_display, @part_number, @original_filename) + # If we can't find the right attachment, redirect to the incoming message: + unless @attachment + return redirect_to incoming_message_url(@incoming_message), :status => 303 + end # check filename in URL matches that in database (use a censor rule if you want to change a filename) raise ActiveRecord::RecordNotFound.new("please use same filename as original file has, display: '" + @attachment.display_filename + "' old_display: '" + @attachment.old_display_filename + "' original: '" + @original_filename + "'") if @attachment.display_filename != @original_filename && @attachment.old_display_filename != @original_filename |