carrierwave 1.2.1 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7a985080c1432e2d6d27cbe46b823f4ca5bdbc75
-  data.tar.gz: e3e60a7159815499f0559f9574480633e73d68ed
+SHA256:
+  metadata.gz: 84145959d912145a2915ab7adb9ccbd6bf7a971ab00cef83fb7f5092c349c9c5
+  data.tar.gz: 9ba122388fb8ff36563001ea9144e4a1d523b7be78433fed2a971a82588de5c8
 SHA512:
-  metadata.gz: 9e027080e1e7fcc86a2f6e0b74cb0d4db2d1f955b733c9bf47354fb74da0707c0017a9305fdc6f090825a7203b319f25bcd61ecc2fa84f123da19a9b9d784d6c
-  data.tar.gz: 2c8d16ca3353952282e9ffb97d37d44477c5a22f4744f99a84d0fde7bc0ee9d6b456698aa386d0664e8b734f9b8edf155a8034b15efb5b60831579a610d09b67
+  metadata.gz: 70f718887e9f4223405d8f273cafaf429395725eead688918d454499a50063fdc748cc519440d2010f783cfa1ec3ba19f54b5e07dc644d195cbe6d59f1c5b6b2
+  data.tar.gz: 50907c92735e096c691a1ee7d440a2b83de736de3016b78c11796d0c558c283774236e5acf18abb552212816a38905986a6ec3ad0d956736f88c79ae99cd9aa6

data/README.md

@@ -4,8 +4,8 @@ This gem provides a simple and extremely flexible way to upload files from Ruby
 It works well with Rack based web applications, such as Ruby on Rails.
 
 [![Build Status](https://travis-ci.org/carrierwaveuploader/carrierwave.svg?branch=master)](http://travis-ci.org/carrierwaveuploader/carrierwave)
-[![Code Climate](http://img.shields.io/codeclimate/github/carrierwaveuploader/carrierwave.svg)](https://codeclimate.com/github/carrierwaveuploader/carrierwave)
-[![git.legal](https://git.legal/projects/1363/badge.svg "Number of libraries approved")](https://git.legal/projects/1363)
+[![Code Climate](https://codeclimate.com/github/carrierwaveuploader/carrierwave.svg)](https://codeclimate.com/github/carrierwaveuploader/carrierwave)
+[![SemVer](https://api.dependabot.com/badges/compatibility_score?dependency-name=carrierwave&package-manager=bundler&version-scheme=semver)](https://dependabot.com/compatibility-score.html?dependency-name=carrierwave&package-manager=bundler&version-scheme=semver)
 
 
 ## Information
@@ -24,19 +24,19 @@ It works well with Rack based web applications, such as Ruby on Rails.
 Install the latest release:
 
 ```
-$ gem install carrierwave -v "1.0.0"
+$ gem install carrierwave
 ```
 
 In Rails, add it to your Gemfile:
 
 ```ruby
-gem 'carrierwave', '~> 1.0'
+gem 'carrierwave', '~> 2.0'
 ```
 
 Finally, restart the server to apply the changes.
 
-As of version 1.0, CarrierWave requires Rails 4.0 or higher and Ruby 2.0
-or higher. If you're on Rails 3, you should use v0.11.0.
+As of version 2.0, CarrierWave requires Rails 5.0 or higher and Ruby 2.2
+or higher. If you're on Rails 4, you should use 1.x.
 
 ## Getting Started
 
@@ -89,7 +89,7 @@ a migration:
 
 
 	rails g migration add_avatar_to_users avatar:string
-	rake db:migrate
+	rails db:migrate
 
 Open your model file and mount the uploader:
 
@@ -144,12 +144,12 @@ example, create a migration like this:
 #### For databases with ActiveRecord json data type support (e.g. PostgreSQL, MySQL)
 
 	rails g migration add_avatars_to_users avatars:json
-	rake db:migrate
+	rails db:migrate
 
 #### For database without ActiveRecord json data type support (e.g. SQLite)
 
 	rails g migration add_avatars_to_users avatars:string
-	rake db:migrate
+	rails db:migrate
 
 __Note__: JSON datatype doesn't exists in SQLite adapter, that's why you can use a string datatype which will be serialized in model.
 
@@ -163,6 +163,9 @@ class User < ActiveRecord::Base
 end
 ```
 
+Make sure that you mount the uploader with write (mount_uploaders) with `s` not (mount_uploader)
+in order to avoid errors when uploading multiple files
+
 Make sure your file input fields are set up as multiple file fields. For
 example in Rails you'll want to do something like this:
 
@@ -187,6 +190,17 @@ u.avatars[0].current_path # => 'path/to/file.png'
 u.avatars[0].identifier # => 'file.png'
 ```
 
+If you want to preserve existing files on uploading new one, you can go like:
+
+```erb
+<% user.avatars.each do |avatar| %>
+  <%= hidden_field :user, :avatars, multiple: true, value: avatar.identifier %>
+<% end %>
+<%= form.file_field :avatars, multiple: true %>
+```
+
+Sorting avatars is supported as well by reordering `hidden_field`, an example using jQuery UI Sortable is available [here](https://github.com/carrierwaveuploader/carrierwave/wiki/How-to%3A-Add%2C-remove-and-reorder-images-using-multiple-file-upload).
+
 ## Changing the storage directory
 
 In order to change where uploaded files are put, just override the `store_dir`
@@ -252,6 +266,22 @@ class NoJsonUploader < CarrierWave::Uploader::Base
 end
 ```
 
+### CVE-2016-3714 (ImageTragick)
+This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a content_type_whitelist in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
+
+
+A valid whitelist that will restrict your uploader to images only, and mitigate the CVE is:
+
+```ruby
+class MyUploader < CarrierWave::Uploader::Base
+  def content_type_whitelist
+    [/image\//]
+  end
+end
+```
+
+**WARNING**: A `content_type_whitelist` is the only form of whitelist or blacklist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_whitelist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
+
 ### Filenames and unicode chars
 
 Another security issue you should care for is the file names (see
@@ -277,7 +307,7 @@ You no longer need to do this manually.
 
 Often you'll want to add different versions of the same file. The classic example is image thumbnails. There is built in support for this*:
 
-*Note:* You must have Imagemagick and MiniMagick installed to do image resizing. MiniMagick is a Ruby interface for Imagemagick which is a C program. This is why MiniMagick fails on 'bundle install' without Imagemagick installed.
+*Note:* You must have Imagemagick installed to do image resizing.
 
 Some documentation refers to RMagick instead of MiniMagick but MiniMagick is recommended.
 
@@ -301,8 +331,14 @@ end
 ```
 
 When this uploader is used, an uploaded image would be scaled to be no larger
-than 800 by 800 pixels. A version called thumb is then created, which is scaled
-and cropped to exactly 200 by 200 pixels. The uploader could be used like this:
+than 800 by 800 pixels. The original aspect ratio will be kept.
+
+A version called `:thumb` is then created, which is scaled
+to exactly 200 by 200 pixels. The thumbnail uses `resize_to_fill` which makes sure
+that the width and height specified are filled, only cropping
+if the aspect ratio requires it.
+
+The above uploader could be used like this:
 
 ```ruby
 uploader = AvatarUploader.new
@@ -315,6 +351,18 @@ uploader.thumb.url # => '/url/to/thumb_my_file.png'   # size: 200x200
 One important thing to remember is that process is called *before* versions are
 created. This can cut down on processing cost.
 
+### Processing Methods: mini_magick
+
+- `convert` - Changes the image encoding format to the given format, eg. jpg
+- `resize_to_limit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. Will only resize the image if it is larger than the specified dimensions. The resulting image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. The image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fill` - Resize the image to fit within the specified dimensions while retaining the aspect ratio of the original image. If necessary, crop the image in the larger dimension. Optionally, a "gravity" may be specified, for example "Center", or "NorthEast".
+- `resize_and_pad` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. If necessary, will pad the remaining area with the given color, which defaults to transparent (for gif and png, white for jpeg). Optionally, a "gravity" may be specified, as above.
+
+See `carrierwave/processing/mini_magick.rb` for details.
+
+### Nested versions
+
 It is possible to nest versions within versions:
 
 ```ruby
@@ -351,7 +399,7 @@ private
   end
 
   def is_landscape? picture
-    image = MiniMagick::Image.open(picture.path)
+    image = MiniMagick::Image.new(picture.path)
     image[:width] > image[:height]
   end
 
@@ -625,6 +673,8 @@ describe MyUploader do
 end
 ```
 
+If you're looking for minitest asserts, checkout [carrierwave_asserts](https://github.com/hcfairbanks/carrierwave_asserts).
+
 Setting the enable_processing flag on an uploader will prevent any of the versions from processing as well.
 Processing can be enabled for a single version by setting the processing flag on the version like so:
 
@@ -638,7 +688,6 @@ If you want to use fog you must add in your CarrierWave initializer the
 following lines
 
 ```ruby
-config.fog_provider = 'fog' # 'fog/aws' etc. Defaults to 'fog'
 config.fog_credentials = { ... } # Provider specific credentials
 ```
 
@@ -656,18 +705,18 @@ You can also pass in additional options, as documented fully in lib/carrierwave/
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = 'fog/aws'                        # required
   config.fog_credentials = {
     provider:              'AWS',                        # required
-    aws_access_key_id:     'xxx',                        # required
-    aws_secret_access_key: 'yyy',                        # required
+    aws_access_key_id:     'xxx',                        # required unless using use_iam_profile
+    aws_secret_access_key: 'yyy',                        # required unless using use_iam_profile
+    use_iam_profile:       true,                         # optional, defaults to false
     region:                'eu-west-1',                  # optional, defaults to 'us-east-1'
     host:                  's3.example.com',             # optional, defaults to nil
     endpoint:              'https://s3.example.com:8080' # optional, defaults to nil
   }
-  config.fog_directory  = 'name_of_directory'                          # required
-  config.fog_public     = false                                        # optional, defaults to true
-  config.fog_attributes = { cache_control: "public, max-age=#{365.day.to_i}" } # optional, defaults to {}
+  config.fog_directory  = 'name_of_bucket'                                      # required
+  config.fog_public     = false                                                 # optional, defaults to true
+  config.fog_attributes = { cache_control: "public, max-age=#{365.days.to_i}" } # optional, defaults to {}
 end
 ```
 
@@ -681,6 +730,14 @@ end
 
 That's it! You can still use the `CarrierWave::Uploader#url` method to return the url to the file on Amazon S3.
 
+**Note**: for Carrierwave to work properly it needs credentials with the following permissions:
+
+* `s3:ListBucket`
+* `s3:PutObject`
+* `s3:GetObject`
+* `s3:DeleteObject`
+* `s3:PutObjectAcl`
+
 ## Using Rackspace Cloud Files
 
 [Fog](http://github.com/fog/fog) is used to support Rackspace Cloud Files. Ensure you have it in your Gemfile:
@@ -696,7 +753,6 @@ Using a US-based account:
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = "fog/rackspace/storage"   # optional, defaults to "fog"
   config.fog_credentials = {
     provider:           'Rackspace',
     rackspace_username: 'xxxxxx',
@@ -711,7 +767,6 @@ Using a UK-based account:
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = "fog/rackspace/storage"   # optional, defaults to "fog"
   config.fog_credentials = {
     provider:           'Rackspace',
     rackspace_username: 'xxxxxx',
@@ -760,7 +815,6 @@ Please read the [fog-google README](https://github.com/fog/fog-google/blob/maste
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = 'fog/google'                        # required
   config.fog_credentials = {
     provider:                         'Google',
     google_storage_access_key_id:     'xxxxxx',
@@ -857,8 +911,8 @@ manipulation methods.
 
 ## Using MiniMagick
 
-MiniMagick is similar to RMagick but performs all the operations using the 'mogrify'
-command which is part of the standard ImageMagick kit. This allows you to have the power
+MiniMagick is similar to RMagick but performs all the operations using the 'convert'
+CLI which is part of the standard ImageMagick kit. This allows you to have the power
 of ImageMagick without having to worry about installing all the RMagick libraries.
 
 See the MiniMagick site for more details:
@@ -912,7 +966,7 @@ errors:
     carrierwave_download_error: could not be downloaded
     extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
     extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-    content_type_whitelist_error: "You are not allowed to upload %{content_type} files"
+    content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
     content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
     rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
     mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"

data/lib/carrierwave/downloader/base.rb

@@ -0,0 +1,83 @@
+require 'open-uri'
+require 'ssrf_filter'
+require 'addressable'
+require 'carrierwave/downloader/remote_file'
+
+module CarrierWave
+  module Downloader
+    class Base
+      attr_reader :uploader
+
+      def initialize(uploader)
+        @uploader = uploader
+      end
+
+      ##
+      # Downloads a file from given URL and returns a RemoteFile.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
+      #
+      def download(url, remote_headers = {})
+        headers = remote_headers.
+          reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
+        begin
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            response = SsrfFilter.get(uri, headers: headers) do |req|
+              request = req
+            end
+            response.uri = request.uri
+            response.value
+          end
+        rescue StandardError => e
+          raise CarrierWave::DownloadError, "could not download file: #{e.message}"
+        end
+        CarrierWave::Downloader::RemoteFile.new(response)
+      end
+
+      ##
+      # Processes the given URL by parsing and escaping it. Public to allow overriding.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      #
+      def process_uri(uri)
+        uri_parts = uri.split('?')
+        encoded_uri = Addressable::URI.parse(uri_parts.shift).normalize.to_s
+        encoded_uri << '?' << Addressable::URI.encode(uri_parts.join('?')).gsub('%5B', '[').gsub('%5D', ']') if uri_parts.any?
+        URI.parse(encoded_uri)
+      rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
+        raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
+      end
+
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
+    end
+  end
+end

data/lib/carrierwave/downloader/remote_file.rb

@@ -0,0 +1,65 @@
+module CarrierWave
+  module Downloader
+    class RemoteFile
+      attr_reader :file, :uri
+
+      def initialize(file)
+        case file
+        when String
+          @file = StringIO.new(file)
+        when Net::HTTPResponse
+          @file = StringIO.new(file.body)
+          @content_type = file.content_type
+          @headers = file
+          @uri = file.uri
+        else
+          @file = file
+          @content_type = file.content_type
+          @headers = file.meta
+          @uri = file.base_uri
+        end
+      end
+
+      def content_type
+        @content_type || 'application/octet-stream'
+      end
+
+      def headers
+        @headers || {}
+      end
+
+      def original_filename
+        filename = filename_from_header || filename_from_uri
+        mime_type = MiniMime.lookup_by_content_type(content_type)
+        unless File.extname(filename).present? || mime_type.blank?
+          filename = "#{filename}.#{mime_type.extension}"
+        end
+        filename
+      end
+
+      def respond_to?(*args)
+        super || file.respond_to?(*args)
+      end
+
+      private
+
+      def filename_from_header
+        return nil unless headers['content-disposition']
+
+        match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+        return nil unless match
+
+        match[1].presence || match[2].presence
+      end
+
+      def filename_from_uri
+        CGI.unescape(File.basename(uri.path))
+      end
+
+      def method_missing(*args, &block)
+        file.send(*args, &block)
+      end
+    end
+  end
+end
+

data/lib/carrierwave/locale/en.yml

@@ -6,7 +6,7 @@ en:
       carrierwave_download_error: could not be downloaded
       extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
       extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-      content_type_whitelist_error: "You are not allowed to upload %{content_type} files"
+      content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
       content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
       rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
       mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"

data/lib/carrierwave/mount.rb

@@ -174,17 +174,26 @@ module CarrierWave
           return if frozen?
           mounter = _mounter(:#{column})
 
-          if mounter.remove?
-            write_uploader(mounter.serialization_column, nil)
-          elsif mounter.identifiers.first
-            write_uploader(mounter.serialization_column, mounter.identifiers.first)
-          end
+          mounter.clear! if mounter.remove?
+          write_uploader(mounter.serialization_column, mounter.identifiers.first)
         end
 
         def #{column}_identifier
           _mounter(:#{column}).read_identifiers[0]
         end
 
+        def #{column}_integrity_error
+          #{column}_integrity_errors.last
+        end
+
+        def #{column}_processing_error
+          #{column}_processing_errors.last
+        end
+
+        def #{column}_download_error
+          #{column}_download_errors.last
+        end
+
         def store_previous_changes_for_#{column}
           attribute_changes = ::ActiveRecord.version.to_s.to_f >= 5.1 ? saved_changes : changes
           @_previous_changes_for_#{column} = attribute_changes[_mounter(:#{column}).serialization_column]
@@ -240,9 +249,9 @@ module CarrierWave
     # [store_images!]           Stores all files that have been assigned with +images=+
     # [remove_images!]          Removes the uploaded file from the filesystem.
     #
-    # [images_integrity_error]  Returns an error object if the last files to be assigned caused an integrity error
-    # [images_processing_error] Returns an error object if the last files to be assigned caused a processing error
-    # [images_download_error]   Returns an error object if the last files to be remotely assigned caused a download error
+    # [image_integrity_errors]   Returns error objects of files which failed to pass integrity check
+    # [image_processing_errors]  Returns error objects of files which failed to be processed
+    # [image_download_errors]    Returns error objects of files which failed to be downloaded
     #
     # [image_identifiers]       Reads out the identifiers of the files
     #
@@ -329,11 +338,8 @@ module CarrierWave
           return if frozen?
           mounter = _mounter(:#{column})
 
-          if mounter.remove?
-            write_uploader(mounter.serialization_column, nil)
-          elsif mounter.identifiers.any?
-            write_uploader(mounter.serialization_column, mounter.identifiers)
-          end
+          mounter.clear! if mounter.remove?
+          write_uploader(mounter.serialization_column, mounter.identifiers.presence)
         end
 
         def #{column}_identifiers
@@ -395,16 +401,16 @@ module CarrierWave
           _mounter(:#{column}).store!
         end
 
-        def #{column}_integrity_error
-          _mounter(:#{column}).integrity_error
+        def #{column}_integrity_errors
+          _mounter(:#{column}).integrity_errors
         end
 
-        def #{column}_processing_error
-          _mounter(:#{column}).processing_error
+        def #{column}_processing_errors
+          _mounter(:#{column}).processing_errors
         end
 
-        def #{column}_download_error
-          _mounter(:#{column}).download_error
+        def #{column}_download_errors
+          _mounter(:#{column}).download_errors
         end
 
         def mark_remove_#{column}_false