activestorage 6.1.6.1 → 7.0.3.1

data/app/controllers/active_storage/base_controller.rb

@@ -7,13 +7,4 @@ class ActiveStorage::BaseController < ActionController::Base
   protect_from_forgery with: :exception
 
   self.etag_with_template_digest = false
-
-  private
-    def stream(blob)
-      blob.download do |chunk|
-        response.stream.write chunk
-      end
-    ensure
-      response.stream.close
-    end
 end

data/app/controllers/active_storage/blobs/proxy_controller.rb

@@ -1,14 +1,25 @@
 # frozen_string_literal: true
 
 # Proxy files through application. This avoids having a redirect and makes files easier to cache.
+#
+# WARNING: All Active Storage controllers are publicly accessible by default. The
+# generated URLs are hard to guess, but permanent by design. If your files
+# require a higher level of protection consider implementing
+# {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
-  include ActiveStorage::SetHeaders
+  include ActiveStorage::Streaming
 
   def show
-    http_cache_forever public: true do
-      set_content_headers_from @blob
-      stream @blob
+    if request.headers["Range"].present?
+      send_blob_byte_range_data @blob, request.headers["Range"]
+    else
+      http_cache_forever public: true do
+        response.headers["Accept-Ranges"] = "bytes"
+        response.headers["Content-Length"] = @blob.byte_size.to_s
+
+        send_blob_stream @blob, disposition: params[:disposition]
+      end
     end
   end
 end

data/app/controllers/active_storage/blobs/redirect_controller.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
 # Take a signed permanent reference for a blob and turn it into an expiring service URL for download.
-# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
-# security-through-obscurity factor of the signed blob references, you'll need to implement your own
-# authenticated redirection controller.
+#
+# WARNING: All Active Storage controllers are publicly accessible by default. The
+# generated URLs are hard to guess, but permanent by design. If your files
+# require a higher level of protection consider implementing
+# {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Blobs::RedirectController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
 
   def show
     expires_in ActiveStorage.service_urls_expire_in
-    redirect_to @blob.url(disposition: params[:disposition])
+    redirect_to @blob.url(disposition: params[:disposition]), allow_other_host: true
   end
 end

data/app/controllers/active_storage/disk_controller.rb

@@ -23,6 +23,7 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
     if token = decode_verified_token
       if acceptable_content?(token)
         named_disk_service(token[:service_name]).upload token[:key], request.body, checksum: token[:checksum]
+        head :no_content
       else
         head :unprocessable_entity
       end

data/app/controllers/active_storage/representations/base_controller.rb

@@ -1,11 +1,15 @@
 # frozen_string_literal: true
 
-class ActiveStorage::Representations::BaseController < ActiveStorage::BaseController #:nodoc:
+class ActiveStorage::Representations::BaseController < ActiveStorage::BaseController # :nodoc:
   include ActiveStorage::SetBlob
 
   before_action :set_representation
 
   private
+    def blob_scope
+      ActiveStorage::Blob.scope_for_strict_loading
+    end
+
     def set_representation
       @representation = @blob.representation(params[:variation_key]).processed
     rescue ActiveSupport::MessageVerifier::InvalidSignature

data/app/controllers/active_storage/representations/proxy_controller.rb

@@ -1,13 +1,17 @@
 # frozen_string_literal: true
 
 # Proxy files through application. This avoids having a redirect and makes files easier to cache.
+#
+# WARNING: All Active Storage controllers are publicly accessible by default. The
+# generated URLs are hard to guess, but permanent by design. If your files
+# require a higher level of protection consider implementing
+# {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
-  include ActiveStorage::SetHeaders
+  include ActiveStorage::Streaming
 
   def show
     http_cache_forever public: true do
-      set_content_headers_from @representation.image
-      stream @representation
+      send_blob_stream @representation.image, disposition: params[:disposition]
     end
   end
 end

data/app/controllers/active_storage/representations/redirect_controller.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 # Take a signed permanent reference for a blob representation and turn it into an expiring service URL for download.
-# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
-# security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
-# authenticated redirection controller.
+#
+# WARNING: All Active Storage controllers are publicly accessible by default. The
+# generated URLs are hard to guess, but permanent by design. If your files
+# require a higher level of protection consider implementing
+# {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Representations::RedirectController < ActiveStorage::Representations::BaseController
   def show
     expires_in ActiveStorage.service_urls_expire_in
-    redirect_to @representation.url(disposition: params[:disposition])
+    redirect_to @representation.url(disposition: params[:disposition]), allow_other_host: true
   end
 end

data/app/controllers/concerns/active_storage/set_blob.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActiveStorage::SetBlob #:nodoc:
+module ActiveStorage::SetBlob # :nodoc:
   extend ActiveSupport::Concern
 
   included do
@@ -9,8 +9,12 @@ module ActiveStorage::SetBlob #:nodoc:
 
   private
     def set_blob
-      @blob = ActiveStorage::Blob.find_signed!(params[:signed_blob_id] || params[:signed_id])
+      @blob = blob_scope.find_signed!(params[:signed_blob_id] || params[:signed_id])
     rescue ActiveSupport::MessageVerifier::InvalidSignature
       head :not_found
     end
+
+    def blob_scope
+      ActiveStorage::Blob
+    end
 end

data/app/controllers/concerns/active_storage/set_current.rb

@@ -1,15 +1,15 @@
 # frozen_string_literal: true
 
-# Sets the <tt>ActiveStorage::Current.host</tt> attribute, which the disk service uses to generate URLs.
+# Sets the <tt>ActiveStorage::Current.url_options</tt> attribute, which the disk service uses to generate URLs.
 # Include this concern in custom controllers that call ActiveStorage::Blob#url,
 # ActiveStorage::Variant#url, or ActiveStorage::Preview#url so the disk service can
-# generate URLs using the same host, protocol, and base path as the current request.
+# generate URLs using the same host, protocol, and port as the current request.
 module ActiveStorage::SetCurrent
   extend ActiveSupport::Concern
 
   included do
     before_action do
-      ActiveStorage::Current.host = request.base_url
+      ActiveStorage::Current.url_options = { protocol: request.protocol, host: request.host, port: request.port }
     end
   end
 end

data/app/controllers/concerns/active_storage/streaming.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "securerandom"
+
+module ActiveStorage::Streaming
+  DEFAULT_BLOB_STREAMING_DISPOSITION = "inline"
+
+  include ActionController::DataStreaming
+  include ActionController::Live
+
+  private
+    # Stream the blob in byte ranges specified through the header
+    def send_blob_byte_range_data(blob, range_header, disposition: nil)
+      ranges = Rack::Utils.get_byte_ranges(range_header, blob.byte_size)
+
+      return head(:range_not_satisfiable) if ranges.blank? || ranges.all?(&:blank?)
+
+      if ranges.length == 1
+        range = ranges.first
+        content_type = blob.content_type_for_serving
+        data = blob.download_chunk(range)
+
+        response.headers["Content-Range"] = "bytes #{range.begin}-#{range.end}/#{blob.byte_size}"
+      else
+        boundary = SecureRandom.hex
+        content_type = "multipart/byteranges; boundary=#{boundary}"
+        data = +""
+
+        ranges.compact.each do |range|
+          chunk = blob.download_chunk(range)
+
+          data << "\r\n--#{boundary}\r\n"
+          data << "Content-Type: #{blob.content_type_for_serving}\r\n"
+          data << "Content-Range: bytes #{range.begin}-#{range.end}/#{blob.byte_size}\r\n\r\n"
+          data << chunk
+        end
+
+        data << "\r\n--#{boundary}--\r\n"
+      end
+
+      response.headers["Accept-Ranges"] = "bytes"
+      response.headers["Content-Length"] = data.length.to_s
+
+      send_data(
+        data,
+        disposition: blob.forced_disposition_for_serving || disposition || DEFAULT_BLOB_STREAMING_DISPOSITION,
+        filename: blob.filename.sanitized,
+        status: :partial_content,
+        type: content_type
+      )
+    end
+
+    # Stream the blob from storage directly to the response. The disposition can be controlled by setting +disposition+.
+    # The content type and filename is set directly from the +blob+.
+    def send_blob_stream(blob, disposition: nil) # :doc:
+      send_stream(
+          filename: blob.filename.sanitized,
+          disposition: blob.forced_disposition_for_serving || disposition || DEFAULT_BLOB_STREAMING_DISPOSITION,
+          type: blob.content_type_for_serving) do |stream|
+        blob.download do |chunk|
+          stream.write chunk
+        end
+      end
+    end
+end

data/app/javascript/activestorage/ujs.js

@@ -9,7 +9,7 @@ export function start() {
   if (!started) {
     started = true
     document.addEventListener("click", didClick, true)
-    document.addEventListener("submit", didSubmitForm)
+    document.addEventListener("submit", didSubmitForm, true)
     document.addEventListener("ajax:before", didSubmitRemoteElement)
   }
 }

data/app/models/active_storage/attachment.rb

@@ -7,6 +7,14 @@ require "active_support/core_ext/module/delegation"
 # on the attachments table prevents blobs from being purged if they’re still attached to any records.
 #
 # Attachments also have access to all methods from {ActiveStorage::Blob}[rdoc-ref:ActiveStorage::Blob].
+#
+# If you wish to preload attachments or blobs, you can use these scopes:
+#
+#   # preloads attachments, their corresponding blobs, and variant records (if using `ActiveStorage.track_variants`)
+#   User.all.with_attached_avatars
+#
+#   # preloads blobs and variant records (if using `ActiveStorage.track_variants`)
+#   User.first.avatars.with_all_variant_records
 class ActiveStorage::Attachment < ActiveStorage::Record
   self.table_name = "active_storage_attachments"
 
@@ -19,11 +27,13 @@ class ActiveStorage::Attachment < ActiveStorage::Record
   after_create_commit :mirror_blob_later, :analyze_blob_later
   after_destroy_commit :purge_dependent_blob_later
 
+  scope :with_all_variant_records, -> { includes(blob: :variant_records) }
+
   # Synchronously deletes the attachment and {purges the blob}[rdoc-ref:ActiveStorage::Blob#purge].
   def purge
     transaction do
       delete
-      record&.touch
+      record.touch if record&.persisted?
     end
     blob&.purge
   end
@@ -32,11 +42,30 @@ class ActiveStorage::Attachment < ActiveStorage::Record
   def purge_later
     transaction do
       delete
-      record&.touch
+      record.touch if record&.persisted?
     end
     blob&.purge_later
   end
 
+  # Returns an ActiveStorage::Variant or ActiveStorage::VariantWithRecord
+  # instance for the attachment with the set of +transformations+ provided.
+  # See ActiveStorage::Blob::Representable#variant for more information.
+  #
+  # Raises an +ArgumentError+ if +transformations+ is a +Symbol+ which is an
+  # unknown pre-defined variant of the attachment.
+  def variant(transformations)
+    case transformations
+    when Symbol
+      variant_name = transformations
+      transformations = variants.fetch(variant_name) do
+        record_model_name = record.to_model.model_name.name
+        raise ArgumentError, "Cannot find variant :#{variant_name} for #{record_model_name}##{name}"
+      end
+    end
+
+    blob.variant(transformations)
+  end
+
   private
     def analyze_blob_later
       blob.analyze_later unless blob.analyzed?
@@ -53,6 +82,10 @@ class ActiveStorage::Attachment < ActiveStorage::Record
     def dependent
       record.attachment_reflections[name]&.options&.fetch(:dependent, nil)
     end
+
+    def variants
+      record.attachment_reflections[name]&.variants
+    end
 end
 
 ActiveSupport.run_load_hooks :active_storage_attachment, ActiveStorage::Attachment

data/app/models/active_storage/blob/representable.rb

@@ -12,8 +12,8 @@ module ActiveStorage::Blob::Representable
     has_one_attached :preview_image
   end
 
-  # Returns an ActiveStorage::Variant instance with the set of +transformations+ provided. This is only relevant for image
-  # files, and it allows any image to be transformed for size, colors, and the like. Example:
+  # Returns an ActiveStorage::Variant or ActiveStorage::VariantWithRecord instance with the set of +transformations+ provided.
+  # This is only relevant for image files, and it allows any image to be transformed for size, colors, and the like. Example:
   #
   #   avatar.variant(resize_to_limit: [100, 100]).processed.url
   #
@@ -28,8 +28,9 @@ module ActiveStorage::Blob::Representable
   # This will create a URL for that specific blob with that specific variant, which the ActiveStorage::RepresentationsController
   # can then produce on-demand.
   #
-  # Raises ActiveStorage::InvariableError if ImageMagick cannot transform the blob. To determine whether a blob is
-  # variable, call ActiveStorage::Blob#variable?.
+  # Raises ActiveStorage::InvariableError if the variant processor cannot
+  # transform the blob. To determine whether a blob is variable, call
+  # ActiveStorage::Blob#variable?.
   def variant(transformations)
     if variable?
       variant_class.new(self, ActiveStorage::Variation.wrap(transformations).default_to(default_variant_transformations))
@@ -38,7 +39,8 @@ module ActiveStorage::Blob::Representable
     end
   end
 
-  # Returns true if ImageMagick can transform the blob (its content type is in +ActiveStorage.variable_content_types+).
+  # Returns true if the variant processor can transform the blob (its content
+  # type is in +ActiveStorage.variable_content_types+).
   def variable?
     ActiveStorage.variable_content_types.include?(content_type)
   end

data/app/models/active_storage/blob.rb

@@ -39,7 +39,7 @@ class ActiveStorage::Blob < ActiveStorage::Record
   MINIMUM_TOKEN_LENGTH = 28
 
   has_secure_token :key, length: MINIMUM_TOKEN_LENGTH
-  store :metadata, accessors: [ :analyzed, :identified ], coder: ActiveRecord::Coders::JSON
+  store :metadata, accessors: [ :analyzed, :identified, :composed ], coder: ActiveRecord::Coders::JSON
 
   class_attribute :services, default: {}
   class_attribute :service, instance_accessor: false
@@ -52,13 +52,14 @@ class ActiveStorage::Blob < ActiveStorage::Record
     self.service_name ||= self.class.service&.name
   end
 
-  after_update_commit :update_service_metadata, if: :content_type_previously_changed?
+  after_update_commit :update_service_metadata, if: -> { content_type_previously_changed? || metadata_previously_changed? }
 
   before_destroy(prepend: true) do
     raise ActiveRecord::InvalidForeignKey if attachments.exists?
   end
 
   validates :service_name, presence: true
+  validates :checksum, presence: true, unless: :composed
 
   validate do
     if service_name_changed? && service_name.present?
@@ -86,21 +87,13 @@ class ActiveStorage::Blob < ActiveStorage::Record
       super(id, purpose: purpose)
     end
 
-    def build_after_upload(io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
-      new(filename: filename, content_type: content_type, metadata: metadata, service_name: service_name).tap do |blob|
-        blob.upload(io, identify: identify)
-      end
-    end
-
-    deprecate :build_after_upload
-
-    def build_after_unfurling(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+    def build_after_unfurling(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) # :nodoc:
       new(key: key, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name).tap do |blob|
         blob.unfurl(io, identify: identify)
       end
     end
 
-    def create_after_unfurling!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+    def create_after_unfurling!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) # :nodoc:
       build_after_unfurling(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify).tap(&:save!)
     end
 
@@ -115,9 +108,6 @@ class ActiveStorage::Blob < ActiveStorage::Record
       end
     end
 
-    alias_method :create_after_upload!, :create_and_upload!
-    deprecate create_after_upload!: :create_and_upload!
-
     # Returns a saved blob _without_ uploading a file to the service. This blob will point to a key where there is
     # no file yet. It's intended to be used together with a client-side upload, which will first create the blob
     # in order to produce the signed URL for uploading. This signed URL points to the key generated by the blob.
@@ -137,7 +127,7 @@ class ActiveStorage::Blob < ActiveStorage::Record
     end
 
     # Customize signed ID purposes for backwards compatibility.
-    def combine_signed_id_purposes(purpose) #:nodoc:
+    def combine_signed_id_purposes(purpose) # :nodoc:
       purpose.to_s
     end
 
@@ -145,14 +135,34 @@ class ActiveStorage::Blob < ActiveStorage::Record
     #
     # We override the reader (.signed_id_verifier) instead of just calling the writer (.signed_id_verifier=)
     # to guard against the case where ActiveStorage.verifier isn't yet initialized at load time.
-    def signed_id_verifier #:nodoc:
+    def signed_id_verifier # :nodoc:
       @signed_id_verifier ||= ActiveStorage.verifier
     end
+
+    def scope_for_strict_loading # :nodoc:
+      if strict_loading_by_default? && ActiveStorage.track_variants
+        includes(variant_records: { image_attachment: :blob }, preview_image_attachment: :blob)
+      else
+        all
+      end
+    end
+
+    # Concatenate multiple blobs into a single "composed" blob.
+    def compose(blobs, filename:, content_type: nil, metadata: nil)
+      raise ActiveRecord::RecordNotSaved, "All blobs must be persisted." if blobs.any?(&:new_record?)
+
+      content_type ||= blobs.pluck(:content_type).compact.first
+
+      new(filename: filename, content_type: content_type, metadata: metadata, byte_size: blobs.sum(&:byte_size)).tap do |combined_blob|
+        combined_blob.compose(blobs.pluck(:key))
+        combined_blob.save!
+      end
+    end
   end
 
   # Returns a signed ID for this blob that's suitable for reference on the client-side without fear of tampering.
-  def signed_id
-    super(purpose: :blob_id)
+  def signed_id(purpose: :blob_id, expires_in: nil)
+    super
   end
 
   # Returns the key pointing to the file on the service that's associated with this blob. The key is the
@@ -171,6 +181,14 @@ class ActiveStorage::Blob < ActiveStorage::Record
     ActiveStorage::Filename.new(self[:filename])
   end
 
+  def custom_metadata
+    self[:metadata][:custom] || {}
+  end
+
+  def custom_metadata=(metadata)
+    self[:metadata] = self[:metadata].merge(custom: metadata)
+  end
+
   # Returns true if the content_type of this blob is in the image range, like image/png.
   def image?
     content_type.start_with?("image")
@@ -200,25 +218,22 @@ class ActiveStorage::Blob < ActiveStorage::Record
       content_type: content_type_for_serving, disposition: forced_disposition_for_serving || disposition, **options
   end
 
-  alias_method :service_url, :url
-  deprecate service_url: :url
-
   # Returns a URL that can be used to directly upload a file for this blob on the service. This URL is intended to be
   # short-lived for security and only generated on-demand by the client-side JavaScript responsible for doing the uploading.
   def service_url_for_direct_upload(expires_in: ActiveStorage.service_urls_expire_in)
-    service.url_for_direct_upload key, expires_in: expires_in, content_type: content_type, content_length: byte_size, checksum: checksum
+    service.url_for_direct_upload key, expires_in: expires_in, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata
   end
 
   # Returns a Hash of headers for +service_url_for_direct_upload+ requests.
   def service_headers_for_direct_upload
-    service.headers_for_direct_upload key, filename: filename, content_type: content_type, content_length: byte_size, checksum: checksum
+    service.headers_for_direct_upload key, filename: filename, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata
   end
 
-  def content_type_for_serving #:nodoc:
+  def content_type_for_serving # :nodoc:
     forcibly_serve_as_binary? ? ActiveStorage.binary_content_type : content_type
   end
 
-  def forced_disposition_for_serving #:nodoc:
+  def forced_disposition_for_serving # :nodoc:
     if forcibly_serve_as_binary? || !allowed_inline?
       :attachment
     end
@@ -242,23 +257,33 @@ class ActiveStorage::Blob < ActiveStorage::Record
     upload_without_unfurling io
   end
 
-  def unfurl(io, identify: true) #:nodoc:
+  def unfurl(io, identify: true) # :nodoc:
     self.checksum     = compute_checksum_in_chunks(io)
     self.content_type = extract_content_type(io) if content_type.nil? || identify
     self.byte_size    = io.size
     self.identified   = true
   end
 
-  def upload_without_unfurling(io) #:nodoc:
+  def upload_without_unfurling(io) # :nodoc:
     service.upload key, io, checksum: checksum, **service_metadata
   end
 
+  def compose(keys) # :nodoc:
+    self.composed = true
+    service.compose(keys, key, **service_metadata)
+  end
+
   # Downloads the file associated with this blob. If no block is given, the entire file is read into memory and returned.
   # That'll use a lot of RAM for very large files. If a block is given, then the download is streamed and yielded in chunks.
   def download(&block)
     service.download key, &block
   end
 
+  # Downloads a part of the file associated with this blob.
+  def download_chunk(range)
+    service.download_chunk key, range
+  end
+
   # Downloads the blob to a tempfile on disk. Yields the tempfile.
   #
   # The tempfile's name is prefixed with +ActiveStorage-+ and the blob's ID. Its extension matches that of the blob.
@@ -273,11 +298,17 @@ class ActiveStorage::Blob < ActiveStorage::Record
   #
   # Raises ActiveStorage::IntegrityError if the downloaded data does not match the blob's checksum.
   def open(tmpdir: nil, &block)
-    service.open key, checksum: checksum,
-      name: [ "ActiveStorage-#{id}-", filename.extension_with_delimiter ], tmpdir: tmpdir, &block
+    service.open(
+      key,
+      checksum: checksum,
+      verify: !composed,
+      name: [ "ActiveStorage-#{id}-", filename.extension_with_delimiter ],
+      tmpdir: tmpdir,
+      &block
+    )
   end
 
-  def mirror_later #:nodoc:
+  def mirror_later # :nodoc:
     ActiveStorage::MirrorJob.perform_later(key, checksum: checksum) if service.respond_to?(:mirror)
   end
 
@@ -294,7 +325,7 @@ class ActiveStorage::Blob < ActiveStorage::Record
   # be slow or prevented, so you should not use this method inside a transaction or in callbacks. Use #purge_later instead.
   def purge
     destroy
-    delete
+    delete if previously_persisted?
   rescue ActiveRecord::InvalidForeignKey
   end
 
@@ -309,9 +340,34 @@ class ActiveStorage::Blob < ActiveStorage::Record
     services.fetch(service_name)
   end
 
+  def content_type=(value)
+    unless ActiveStorage.silence_invalid_content_types_warning
+      if INVALID_VARIABLE_CONTENT_TYPES_DEPRECATED_IN_RAILS_7.include?(value)
+        ActiveSupport::Deprecation.warn(<<-MSG.squish)
+          #{value} is not a valid content type, it should not be used when creating a blob, and support for it will be removed in Rails 7.1.
+          If you want to keep supporting this content type past Rails 7.1, add it to `config.active_storage.variable_content_types`.
+          Dismiss this warning by setting `config.active_storage.silence_invalid_content_types_warning = true`.
+        MSG
+      end
+
+      if INVALID_VARIABLE_CONTENT_TYPES_TO_SERVE_AS_BINARY_DEPRECATED_IN_RAILS_7.include?(value)
+        ActiveSupport::Deprecation.warn(<<-MSG.squish)
+          #{value} is not a valid content type, it should not be used when creating a blob, and support for it will be removed in Rails 7.1.
+          If you want to keep supporting this content type past Rails 7.1, add it to `config.active_storage.content_types_to_serve_as_binary`.
+          Dismiss this warning by setting `config.active_storage.silence_invalid_content_types_warning = true`.
+        MSG
+      end
+    end
+
+    super
+  end
+
+  INVALID_VARIABLE_CONTENT_TYPES_DEPRECATED_IN_RAILS_7 = ["image/jpg", "image/pjpeg", "image/bmp"]
+  INVALID_VARIABLE_CONTENT_TYPES_TO_SERVE_AS_BINARY_DEPRECATED_IN_RAILS_7 = ["text/javascript"]
+
   private
     def compute_checksum_in_chunks(io)
-      Digest::MD5.new.tap do |checksum|
+      OpenSSL::Digest::MD5.new.tap do |checksum|
         while chunk = io.read(5.megabytes)
           checksum << chunk
         end
@@ -338,11 +394,11 @@ class ActiveStorage::Blob < ActiveStorage::Record
 
     def service_metadata
       if forcibly_serve_as_binary?
-        { content_type: ActiveStorage.binary_content_type, disposition: :attachment, filename: filename }
+        { content_type: ActiveStorage.binary_content_type, disposition: :attachment, filename: filename, custom_metadata: custom_metadata }
       elsif !allowed_inline?
-        { content_type: content_type, disposition: :attachment, filename: filename }
+        { content_type: content_type, disposition: :attachment, filename: filename, custom_metadata: custom_metadata }
       else
-        { content_type: content_type }
+        { content_type: content_type, custom_metadata: custom_metadata }
       end
     end
 

data/app/models/active_storage/current.rb

@@ -1,5 +1,15 @@
 # frozen_string_literal: true
 
-class ActiveStorage::Current < ActiveSupport::CurrentAttributes #:nodoc:
-  attribute :host
+class ActiveStorage::Current < ActiveSupport::CurrentAttributes # :nodoc:
+  attribute :url_options
+
+  def host=(host)
+    ActiveSupport::Deprecation.warn("ActiveStorage::Current.host= is deprecated, instead use ActiveStorage::Current.url_options=")
+    self.url_options = { host: host }
+  end
+
+  def host
+    ActiveSupport::Deprecation.warn("ActiveStorage::Current.host is deprecated, instead use ActiveStorage::Current.url_options")
+    self.url_options&.dig(:host)
+  end
 end