carrierwave 0.11.0 → 0.11.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 815b971ebb21afd416f1de7f2d5d35a67c7231bf
-  data.tar.gz: 59b36c18c02eefb0f81438b54200c5f857759589
+  metadata.gz: 8c1689fd908e56b671c45e5cb1eebe3ec938a4df
+  data.tar.gz: 89668d77484c786139f513dc1b82c82879da4e11
 SHA512:
-  metadata.gz: 40f40f2cdd4e0657843260e6830e39e87465fd3b9e881e2dc3f1298479272cb0accbf7a9d4262f1c8df5d7573de4e7c49776b484ec7ad84fa7ad01462455676f
-  data.tar.gz: b967fe877468cb9c26bc7fdc7c861f37692ceaf2293457c3e4fe7f9faf773abda94243dceef9ef38c4fdad979853ecac47b22df0b36ae945af0dfb830bbdeed9
+  metadata.gz: a03780cb6e64ad439c1f12378be2f4392617dbbe9f83329eccc6bc05064385e0e95a4b4609e32d922a0ce6d5543bbc795eb4abb8e429d5e366040fdfa3c82bfd
+  data.tar.gz: ee26ab882ed995b677c38e6064843101633a07166cf2dda0e522bf1b13eb7a30a373312d67b786bc86365fd3ef4cb974f8f57a564dafbf9eafaf1c60b7e3e3e8

data/README.md

@@ -161,6 +161,22 @@ class MyUploader < CarrierWave::Uploader::Base
 end
 ```
 
+### CVE-2016-3714 (ImageTragick)
+This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a `content_type_whitelist` in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
+
+A valid whitelist that will restrict your uploader to images only, and mitigate the CVE is:
+
+```ruby
+class MyUploader < CarrierWave::Uploader::Base
+  def content_type_whitelist
+    [/image\//]
+  end
+end
+```
+
+**WARNING**: A `content_type_whitelist` is the only form of whitelist or blacklist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_type_whitelist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
+
+
 ### Filenames and unicode chars
 
 Another security issue you should care for is the file names (see

data/lib/carrierwave/sanitized_file.rb

@@ -3,6 +3,7 @@
 require 'pathname'
 require 'active_support/core_ext/string/multibyte'
 require 'mime/types'
+require 'mimemagic'
 
 module CarrierWave
 
@@ -244,12 +245,10 @@ module CarrierWave
     # [String] the content type of the file
     #
     def content_type
-      return @content_type if @content_type
-      if @file.respond_to?(:content_type) and @file.content_type
-        @content_type = @file.content_type.to_s.chomp
-      elsif path
-        @content_type = ::MIME::Types.type_for(path).first.to_s
-      end
+      @content_type ||=
+        existing_content_type ||
+        mime_magic_content_type ||
+        mime_types_content_type
     end
 
     ##
@@ -309,6 +308,22 @@ module CarrierWave
       return name.mb_chars.to_s
     end
 
+    def existing_content_type
+      if @file.respond_to?(:content_type) && @file.content_type
+        @file.content_type.to_s.chomp
+      end
+    end
+
+    def mime_magic_content_type
+      MimeMagic.by_magic(File.open(path)).try(:type) if path
+    rescue Errno::ENOENT
+      nil
+    end
+
+    def mime_types_content_type
+      ::MIME::Types.type_for(path).first.to_s if path
+    end
+
     def split_extension(filename)
       # regular expressions to try for identifying extensions
       extension_matchers = [

data/lib/carrierwave/storage/fog.rb

@@ -1,7 +1,5 @@
 # encoding: utf-8
 
-require "fog"
-
 module CarrierWave
   module Storage
 

data/lib/carrierwave/storage.rb

@@ -1,9 +1,11 @@
 require "carrierwave/storage/abstract"
 require "carrierwave/storage/file"
 
-begin
-  require "fog"
-rescue LoadError
+%w(aws google openstack rackspace).each do |fog_dependency|
+  begin
+    require "fog/#{fog_dependency}"
+  rescue LoadError
+  end
 end
 
 require "carrierwave/storage/fog" if defined?(Fog)

data/lib/carrierwave/uploader/content_type_blacklist.rb

@@ -0,0 +1,48 @@
+module CarrierWave
+  module Uploader
+    module ContentTypeBlacklist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_content_type_blacklist!
+      end
+
+      ##
+      # Override this method in your uploader to provide a blacklist of files content types
+      # which are not allowed to be uploaded.
+      # Not only strings but Regexp are allowed as well.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] a blacklist of content types which are not allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def content_type_blacklist
+      #       %w(text/json application/json)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def content_type_blacklist
+      #       [/(text|application)\/json/]
+      #     end
+      #
+      def content_type_blacklist; end
+
+    private
+
+      def check_content_type_blacklist!(new_file)
+        content_type = new_file.content_type
+        if content_type_blacklist && blacklisted_content_type?(content_type)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_blacklist_error", content_type: content_type)
+        end
+      end
+
+      def blacklisted_content_type?(content_type)
+        Array(content_type_blacklist).any? { |item| content_type =~ /#{item}/ }
+      end
+
+    end # ContentTypeBlacklist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/content_type_whitelist.rb

@@ -0,0 +1,48 @@
+module CarrierWave
+  module Uploader
+    module ContentTypeWhitelist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_content_type_whitelist!
+      end
+
+      ##
+      # Override this method in your uploader to provide a whitelist of files content types
+      # which are allowed to be uploaded.
+      # Not only strings but Regexp are allowed as well.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] a whitelist of content types which are allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def content_type_whitelist
+      #       %w(text/json application/json)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def content_type_whitelist
+      #       [/(text|application)\/json/]
+      #     end
+      #
+      def content_type_whitelist; end
+
+    private
+
+      def check_content_type_whitelist!(new_file)
+        content_type = new_file.content_type
+        if content_type_whitelist && !whitelisted_content_type?(content_type)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_whitelist_error", content_type: content_type)
+        end
+      end
+
+      def whitelisted_content_type?(content_type)
+        Array(content_type_whitelist).any? { |item| content_type =~ /#{item}/ }
+      end
+
+    end # ContentTypeWhitelist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader.rb

@@ -11,6 +11,8 @@ require "carrierwave/uploader/download"
 require "carrierwave/uploader/remove"
 require "carrierwave/uploader/extension_whitelist"
 require "carrierwave/uploader/extension_blacklist"
+require "carrierwave/uploader/content_type_whitelist"
+require "carrierwave/uploader/content_type_blacklist"
 require "carrierwave/uploader/processing"
 require "carrierwave/uploader/versions"
 require "carrierwave/uploader/default_url"
@@ -53,6 +55,8 @@ module CarrierWave
       include CarrierWave::Uploader::Remove
       include CarrierWave::Uploader::ExtensionWhitelist
       include CarrierWave::Uploader::ExtensionBlacklist
+      include CarrierWave::Uploader::ContentTypeWhitelist
+      include CarrierWave::Uploader::ContentTypeBlacklist
       include CarrierWave::Uploader::Processing
       include CarrierWave::Uploader::Versions
       include CarrierWave::Uploader::DefaultUrl

data/lib/carrierwave/version.rb

@@ -1,3 +1,3 @@
 module CarrierWave
-  VERSION = "0.11.0"
+  VERSION = "0.11.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: carrierwave
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.11.2
 platform: ruby
 authors:
 - Jonas Nicklas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-29 00:00:00.000000000 Z
+date: 2016-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -66,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: mimemagic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement
@@ -292,6 +306,8 @@ files:
 - lib/carrierwave/uploader/cache.rb
 - lib/carrierwave/uploader/callbacks.rb
 - lib/carrierwave/uploader/configuration.rb
+- lib/carrierwave/uploader/content_type_blacklist.rb
+- lib/carrierwave/uploader/content_type_whitelist.rb
 - lib/carrierwave/uploader/default_url.rb
 - lib/carrierwave/uploader/download.rb
 - lib/carrierwave/uploader/extension_blacklist.rb
@@ -332,7 +348,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: carrierwave
-rubygems_version: 2.4.3
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 3
 summary: Ruby file upload library