carrierwave 0.10.0 → 0.11.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0092635d7d29c1b3f6b16b2589e48ba6919ff0b9
-  data.tar.gz: c19c7734e547d39cfec1d90aa48fb28bd3d99b2a
+  metadata.gz: 8c1689fd908e56b671c45e5cb1eebe3ec938a4df
+  data.tar.gz: 89668d77484c786139f513dc1b82c82879da4e11
 SHA512:
-  metadata.gz: d4cce1995281a15422ac6c35b82b19b54e6ba0f5d0efffcbf6c9d3e7f81ae462efa8f313a84ba707bdf4a5e4938e7b367fae90789e18dc24421b023b64c77506
-  data.tar.gz: 5b103922747f4fb1f1c2a172408e9904a39930eda9cd1769ca0b9ba16ee7bbed4dbb9aa1d3a24ac8e61a19ead8491e4ed5b4bca852224f33e6b8b02a90f7d7da
+  metadata.gz: a03780cb6e64ad439c1f12378be2f4392617dbbe9f83329eccc6bc05064385e0e95a4b4609e32d922a0ce6d5543bbc795eb4abb8e429d5e366040fdfa3c82bfd
+  data.tar.gz: ee26ab882ed995b677c38e6064843101633a07166cf2dda0e522bf1b13eb7a30a373312d67b786bc86365fd3ef4cb974f8f57a564dafbf9eafaf1c60b7e3e3e8

data/README.md

@@ -161,6 +161,22 @@ class MyUploader < CarrierWave::Uploader::Base
 end
 ```
 
+### CVE-2016-3714 (ImageTragick)
+This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a `content_type_whitelist` in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
+
+A valid whitelist that will restrict your uploader to images only, and mitigate the CVE is:
+
+```ruby
+class MyUploader < CarrierWave::Uploader::Base
+  def content_type_whitelist
+    [/image\//]
+  end
+end
+```
+
+**WARNING**: A `content_type_whitelist` is the only form of whitelist or blacklist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_type_whitelist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
+
+
 ### Filenames and unicode chars
 
 Another security issue you should care for is the file names (see

data/lib/carrierwave/processing/rmagick.rb

@@ -62,6 +62,8 @@ module CarrierWave
 
     included do
       begin
+        require "rmagick"
+      rescue LoadError
         require "RMagick"
       rescue LoadError => e
         e.message << " (You may need to install the rmagick gem)"

data/lib/carrierwave/sanitized_file.rb

@@ -3,6 +3,7 @@
 require 'pathname'
 require 'active_support/core_ext/string/multibyte'
 require 'mime/types'
+require 'mimemagic'
 
 module CarrierWave
 
@@ -244,12 +245,10 @@ module CarrierWave
     # [String] the content type of the file
     #
     def content_type
-      return @content_type if @content_type
-      if @file.respond_to?(:content_type) and @file.content_type
-        @content_type = @file.content_type.to_s.chomp
-      elsif path
-        @content_type = ::MIME::Types.type_for(path).first.to_s
-      end
+      @content_type ||=
+        existing_content_type ||
+        mime_magic_content_type ||
+        mime_types_content_type
     end
 
     ##
@@ -309,6 +308,22 @@ module CarrierWave
       return name.mb_chars.to_s
     end
 
+    def existing_content_type
+      if @file.respond_to?(:content_type) && @file.content_type
+        @file.content_type.to_s.chomp
+      end
+    end
+
+    def mime_magic_content_type
+      MimeMagic.by_magic(File.open(path)).try(:type) if path
+    rescue Errno::ENOENT
+      nil
+    end
+
+    def mime_types_content_type
+      ::MIME::Types.type_for(path).first.to_s if path
+    end
+
     def split_extension(filename)
       # regular expressions to try for identifying extensions
       extension_matchers = [

data/lib/carrierwave/storage/fog.rb

@@ -1,7 +1,5 @@
 # encoding: utf-8
 
-require "fog"
-
 module CarrierWave
   module Storage
 

data/lib/carrierwave/storage.rb

@@ -1,9 +1,11 @@
 require "carrierwave/storage/abstract"
 require "carrierwave/storage/file"
 
-begin
-  require "fog"
-rescue LoadError
+%w(aws google openstack rackspace).each do |fog_dependency|
+  begin
+    require "fog/#{fog_dependency}"
+  rescue LoadError
+  end
 end
 
 require "carrierwave/storage/fog" if defined?(Fog)

data/lib/carrierwave/uploader/cache.rb

@@ -8,15 +8,27 @@ module CarrierWave
     end
   end
 
+  class CacheCounter
+    @@counter = 0
+
+    def self.increment
+      @@counter += 1
+    end
+  end
+
   ##
   # Generates a unique cache id for use in the caching system
   #
   # === Returns
   #
-  # [String] a cache id in the format TIMEINT-PID-RND
+  # [String] a cache id in the format TIMEINT-PID-COUNTER-RND
   #
   def self.generate_cache_id
-    Time.now.utc.to_i.to_s + '-' + Process.pid.to_s + '-' + ("%04d" % rand(9999))
+    [Time.now.utc.to_i,
+      Process.pid,
+      '%04d' % (CarrierWave::CacheCounter.increment % 1000),
+      '%04d' % rand(9999)
+    ].map(&:to_s).join('-')
   end
 
   module Uploader
@@ -91,7 +103,7 @@ module CarrierWave
       #
       # === Returns
       #
-      # [String] a cache name, in the format YYYYMMDD-HHMM-PID-RND/filename.txt
+      # [String] a cache name, in the format TIMEINT-PID-COUNTER-RND/filename.txt
       #
       def cache_name
         File.join(cache_id, full_original_filename) if cache_id and original_filename
@@ -165,7 +177,9 @@ module CarrierWave
       alias_method :full_original_filename, :original_filename
 
       def cache_id=(cache_id)
-        raise CarrierWave::InvalidParameter, "invalid cache id" unless cache_id =~ /\A[\d]+\-[\d]+\-[\d]{4}\z/
+        # Earlier version used 3 part cache_id. Thus we should allow for
+        # the cache_id to have both 3 part and 4 part formats.
+        raise CarrierWave::InvalidParameter, "invalid cache id" unless cache_id =~ /\A[\d]+\-[\d]+(\-[\d]{4})?\-[\d]{4}\z/
         @cache_id = cache_id
       end
 

data/lib/carrierwave/uploader/content_type_blacklist.rb

@@ -0,0 +1,48 @@
+module CarrierWave
+  module Uploader
+    module ContentTypeBlacklist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_content_type_blacklist!
+      end
+
+      ##
+      # Override this method in your uploader to provide a blacklist of files content types
+      # which are not allowed to be uploaded.
+      # Not only strings but Regexp are allowed as well.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] a blacklist of content types which are not allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def content_type_blacklist
+      #       %w(text/json application/json)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def content_type_blacklist
+      #       [/(text|application)\/json/]
+      #     end
+      #
+      def content_type_blacklist; end
+
+    private
+
+      def check_content_type_blacklist!(new_file)
+        content_type = new_file.content_type
+        if content_type_blacklist && blacklisted_content_type?(content_type)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_blacklist_error", content_type: content_type)
+        end
+      end
+
+      def blacklisted_content_type?(content_type)
+        Array(content_type_blacklist).any? { |item| content_type =~ /#{item}/ }
+      end
+
+    end # ContentTypeBlacklist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/content_type_whitelist.rb

@@ -0,0 +1,48 @@
+module CarrierWave
+  module Uploader
+    module ContentTypeWhitelist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_content_type_whitelist!
+      end
+
+      ##
+      # Override this method in your uploader to provide a whitelist of files content types
+      # which are allowed to be uploaded.
+      # Not only strings but Regexp are allowed as well.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] a whitelist of content types which are allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def content_type_whitelist
+      #       %w(text/json application/json)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def content_type_whitelist
+      #       [/(text|application)\/json/]
+      #     end
+      #
+      def content_type_whitelist; end
+
+    private
+
+      def check_content_type_whitelist!(new_file)
+        content_type = new_file.content_type
+        if content_type_whitelist && !whitelisted_content_type?(content_type)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_whitelist_error", content_type: content_type)
+        end
+      end
+
+      def whitelisted_content_type?(content_type)
+        Array(content_type_whitelist).any? { |item| content_type =~ /#{item}/ }
+      end
+
+    end # ContentTypeWhitelist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader.rb

@@ -11,6 +11,8 @@ require "carrierwave/uploader/download"
 require "carrierwave/uploader/remove"
 require "carrierwave/uploader/extension_whitelist"
 require "carrierwave/uploader/extension_blacklist"
+require "carrierwave/uploader/content_type_whitelist"
+require "carrierwave/uploader/content_type_blacklist"
 require "carrierwave/uploader/processing"
 require "carrierwave/uploader/versions"
 require "carrierwave/uploader/default_url"
@@ -53,6 +55,8 @@ module CarrierWave
       include CarrierWave::Uploader::Remove
       include CarrierWave::Uploader::ExtensionWhitelist
       include CarrierWave::Uploader::ExtensionBlacklist
+      include CarrierWave::Uploader::ContentTypeWhitelist
+      include CarrierWave::Uploader::ContentTypeBlacklist
       include CarrierWave::Uploader::Processing
       include CarrierWave::Uploader::Versions
       include CarrierWave::Uploader::DefaultUrl

data/lib/carrierwave/version.rb

@@ -1,3 +1,3 @@
 module CarrierWave
-  VERSION = "0.10.0"
+  VERSION = "0.11.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: carrierwave
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.2
 platform: ruby
 authors:
 - Jonas Nicklas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-26 00:00:00.000000000 Z
+date: 2016-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -67,7 +67,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.16'
 - !ruby/object:Gem::Dependency
-  name: mysql2
+  name: mimemagic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+- !ruby/object:Gem::Dependency
+  name: pg
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -138,18 +152,46 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: fog
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.20.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.20.0
+- !ruby/object:Gem::Dependency
+  name: unf
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.1
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.1
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.9.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.9.0
 - !ruby/object:Gem::Dependency
   name: mini_magick
   requirement: !ruby/object:Gem::Requirement
@@ -264,6 +306,8 @@ files:
 - lib/carrierwave/uploader/cache.rb
 - lib/carrierwave/uploader/callbacks.rb
 - lib/carrierwave/uploader/configuration.rb
+- lib/carrierwave/uploader/content_type_blacklist.rb
+- lib/carrierwave/uploader/content_type_whitelist.rb
 - lib/carrierwave/uploader/default_url.rb
 - lib/carrierwave/uploader/download.rb
 - lib/carrierwave/uploader/extension_blacklist.rb
@@ -304,7 +348,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: carrierwave
-rubygems_version: 2.2.0
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 3
 summary: Ruby file upload library