carrierwave 1.2.3 → 1.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: e37b68386a3a7becb2363f72f3ce38e8b9049a9a
-  data.tar.gz: 5391ed9991a220136287ad472d243c0ee5164492
+SHA256:
+  metadata.gz: d5e6d1dd656203f5e14c43b75b807e793d623126006ddf8c5a4f9f4706faa750
+  data.tar.gz: 82281b939837f54716f580a1deb6397d87cc9bb867dc6a6938a4322d795500b1
 SHA512:
-  metadata.gz: 2cfc444237e06625db981b6a502847d9a64bd52dc7a7fd4a5189ffc878914fdf7f252d504b54b49d13cb63b2c7d90afdbabaee3b6fb482a3c8bcec49546a51da
-  data.tar.gz: 637ee1e7a31c735ff3b9fd7035e7cc897e8acfc610eadeb8c96de778c9b8c64d4a9bcb2e80fe1ed63454e35a029a8ea8224eb3022a748f8a8caa134b9f2048c3
+  metadata.gz: 8eca3a53204f520d0cabf6e2384e6670cb634159e4b6c1e8d3915b6bab8473f21fb116047129b142a986588ea27401131d095186657770d7c31b03d6c929a1c9
+  data.tar.gz: 316797cffad6d2568e50929862cd80ba3e56c05d557f70f8631b66fc60ffd65fe5862afe4121a1e5e775e55a5f6c9a6c14414bce6a57deab2d12a8a127ed5b0d

data/README.md

@@ -89,7 +89,7 @@ a migration:
 
 
 	rails g migration add_avatar_to_users avatar:string
-	rake db:migrate
+	rails db:migrate
 
 Open your model file and mount the uploader:
 
@@ -144,12 +144,12 @@ example, create a migration like this:
 #### For databases with ActiveRecord json data type support (e.g. PostgreSQL, MySQL)
 
 	rails g migration add_avatars_to_users avatars:json
-	rake db:migrate
+	rails db:migrate
 
 #### For database without ActiveRecord json data type support (e.g. SQLite)
 
 	rails g migration add_avatars_to_users avatars:string
-	rake db:migrate
+	rails db:migrate
 
 __Note__: JSON datatype doesn't exists in SQLite adapter, that's why you can use a string datatype which will be serialized in model.
 
@@ -163,6 +163,9 @@ class User < ActiveRecord::Base
 end
 ```
 
+Make sure that you mount the uploader with write (mount_uploaders) with `s` not (mount_uploader)
+in order to avoid errors when uploading multiple files
+
 Make sure your file input fields are set up as multiple file fields. For
 example in Rails you'll want to do something like this:
 
@@ -923,7 +926,7 @@ errors:
     carrierwave_download_error: could not be downloaded
     extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
     extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-    content_type_whitelist_error: "You are not allowed to upload %{content_type} files"
+    content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
     content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
     rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
     mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"

data/lib/carrierwave/locale/en.yml

@@ -6,7 +6,7 @@ en:
       carrierwave_download_error: could not be downloaded
       extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
       extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-      content_type_whitelist_error: "You are not allowed to upload %{content_type} files"
+      content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
       content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
       rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
       mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"

data/lib/carrierwave/processing/mini_magick.rb

@@ -341,11 +341,7 @@ module CarrierWave
       end
 
       def mini_magick_image
-        if url
-          ::MiniMagick::Image.open(url)
-        else
-          ::MiniMagick::Image.open(current_path)
-        end
+        ::MiniMagick::Image.read(read)
       end
 
   end # MiniMagick

data/lib/carrierwave/processing/rmagick.rb

@@ -378,9 +378,15 @@ module CarrierWave
 
     def create_info_block(options)
       return nil unless options
-      assignments = options.map { |k, v| "self.#{k} = #{v}" }
-      code = "lambda { |img| " + assignments.join(";") + "}"
-      eval code
+      proc do |img|
+        options.each do |k, v|
+          if v.is_a?(String) && (matches = v.match(/^["'](.+)["']/))
+            ActiveSupport::Deprecation.warn "Passing quoted strings like #{v} to #manipulate! is deprecated, pass them without quoting."
+            v = matches[1]
+          end
+          img.public_send(:"#{k}=", v)
+        end
+      end
     end
 
     def destroy_image(image)

data/lib/carrierwave/sanitized_file.rb

@@ -114,12 +114,11 @@ module CarrierWave
     # [String, nil] the path where the file is located.
     #
     def path
-      unless @file.blank?
-        if is_path?
-          File.expand_path(@file)
-        elsif @file.respond_to?(:path) and not @file.path.blank?
-          File.expand_path(@file.path)
-        end
+      return if @file.blank?
+      if is_path?
+        File.expand_path(@file)
+      elsif @file.respond_to?(:path) && !@file.path.blank?
+        File.expand_path(@file.path)
       end
     end
 
@@ -313,7 +312,7 @@ module CarrierWave
     def mkdir!(path, directory_permissions)
       options = {}
       options[:mode] = directory_permissions if directory_permissions
-      FileUtils.mkdir_p(File.dirname(path), options) unless File.exist?(File.dirname(path))
+      FileUtils.mkdir_p(File.dirname(path), **options) unless File.exist?(File.dirname(path))
     end
 
     def chmod!(path, permissions)

data/lib/carrierwave/storage/file.rb

@@ -66,7 +66,7 @@ module CarrierWave
       #
       def cache!(new_file)
         new_file.move_to(::File.expand_path(uploader.cache_path, uploader.root), uploader.permissions, uploader.directory_permissions, true)
-      rescue Errno::EMLINK => e
+      rescue Errno::EMLINK, Errno::ENOSPC => e
         raise(e) if @cache_called
         @cache_called = true
 

data/lib/carrierwave/storage/fog.rb

@@ -177,7 +177,7 @@ module CarrierWave
 
         ##
         # Return a temporary authenticated url to a private file, if available
-        # Only supported for AWS, Rackspace and Google providers
+        # Only supported for AWS, Rackspace, Google and AzureRM providers
         #
         # === Returns
         #
@@ -186,18 +186,22 @@ module CarrierWave
         # [NilClass] no authenticated url available
         #
         def authenticated_url(options = {})
-          if ['AWS', 'Google', 'Rackspace', 'OpenStack'].include?(@uploader.fog_credentials[:provider])
+          if ['AWS', 'Google', 'Rackspace', 'OpenStack', 'AzureRM'].include?(@uploader.fog_credentials[:provider])
             # avoid a get by using local references
             local_directory = connection.directories.new(:key => @uploader.fog_directory)
             local_file = local_directory.files.new(:key => path)
             expire_at = ::Fog::Time.now + @uploader.fog_authenticated_url_expiration
             case @uploader.fog_credentials[:provider]
-              when 'AWS'
-                local_file.url(expire_at, options)
-              when 'Rackspace'
+              when 'AWS', 'Google'
+                # Older versions of fog-google do not support options as a parameter
+                if url_options_supported?(local_file)
+                  local_file.url(expire_at, options)
+                else
+                  warn "Options hash not supported in #{local_file.class}. You may need to upgrade your Fog provider."
+                  local_file.url(expire_at)
+                end
+              when 'Rackspace', 'OpenStack'
                 connection.get_object_https_url(@uploader.fog_directory, path, expire_at, options)
-              when 'OpenStack'
-                connection.get_object_https_url(@uploader.fog_directory, path, expire_at)
               else
                 local_file.url(expire_at)
             end
@@ -352,15 +356,19 @@ module CarrierWave
             end
           else
             # AWS/Google optimized for speed over correctness
-            case @uploader.fog_credentials[:provider].to_s
+            case fog_provider
             when 'AWS'
               # check if some endpoint is set in fog_credentials
               if @uploader.fog_credentials.has_key?(:endpoint)
                 "#{@uploader.fog_credentials[:endpoint]}/#{@uploader.fog_directory}/#{encoded_path}"
               else
                 protocol = @uploader.fog_use_ssl_for_aws ? "https" : "http"
+
+                subdomain_regex = /^(?:[a-z]|\d(?!\d{0,2}(?:\d{1,3}){3}$))(?:[a-z0-9\.]|(?![\-])|\-(?![\.])){1,61}[a-z0-9]$/
+                valid_subdomain = @uploader.fog_directory.to_s =~ subdomain_regex && !(protocol == 'https' && @uploader.fog_directory =~ /\./)
+
                 # if directory is a valid subdomain, use that style for access
-                if @uploader.fog_directory.to_s =~ /^(?:[a-z]|\d(?!\d{0,2}(?:\d{1,3}){3}$))(?:[a-z0-9\.]|(?![\-])|\-(?![\.])){1,61}[a-z0-9]$/
+                if valid_subdomain
                   s3_subdomain = @uploader.fog_aws_accelerate ? "s3-accelerate" : "s3"
                   "#{protocol}://#{@uploader.fog_directory}.#{s3_subdomain}.amazonaws.com/#{encoded_path}"
                 else
@@ -466,7 +474,15 @@ module CarrierWave
         end
 
         def acl_header
-          {'x-amz-acl' => @uploader.fog_public ? 'public-read' : 'private'}
+          if fog_provider == 'AWS'
+            { 'x-amz-acl' => @uploader.fog_public ? 'public-read' : 'private' }
+          else
+            {}
+          end
+        end
+
+        def fog_provider
+          @uploader.fog_credentials[:provider].to_s
         end
 
         def read_source_file(file_body)
@@ -479,6 +495,11 @@ module CarrierWave
             file_body.close
           end
         end
+
+        def url_options_supported?(local_file)
+          parameters = local_file.method(:url).parameters
+          parameters.count == 2 && parameters[1].include?(:options)
+        end
       end
 
     end # Fog

data/lib/carrierwave/uploader/content_type_whitelist.rb

@@ -35,7 +35,7 @@ module CarrierWave
       def check_content_type_whitelist!(new_file)
         content_type = new_file.content_type
         if content_type_whitelist && !whitelisted_content_type?(content_type)
-          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_whitelist_error", content_type: content_type)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_whitelist_error", content_type: content_type, allowed_types: Array(content_type_whitelist).join(", "))
         end
       end
 

data/lib/carrierwave/uploader/download.rb

@@ -1,4 +1,5 @@
 require 'open-uri'
+require 'ssrf_filter'
 
 module CarrierWave
   module Uploader
@@ -10,15 +11,18 @@ module CarrierWave
       include CarrierWave::Uploader::Cache
 
       class RemoteFile
-        def initialize(uri, remote_headers = {})
+        attr_reader :uri
+
+        def initialize(uri, remote_headers = {}, skip_ssrf_protection: false)
           @uri = uri
-          @remote_headers = remote_headers
-          @file = nil
+          @remote_headers = remote_headers.reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+          @file, @content_type, @headers = nil
+          @skip_ssrf_protection = skip_ssrf_protection
         end
 
         def original_filename
           filename = filename_from_header || filename_from_uri
-          mime_type = MIME::Types[file.content_type].first
+          mime_type = MIME::Types[content_type].first
           unless File.extname(filename).present? || mime_type.blank?
             filename = "#{filename}.#{mime_type.extensions.first}"
           end
@@ -33,15 +37,35 @@ module CarrierWave
           @uri.scheme =~ /^https?$/
         end
 
-      private
+        def content_type
+          @content_type || 'application/octet-stream'
+        end
+
+        def headers
+          @headers || {}
+        end
+
+        private
 
         def file
           if @file.blank?
-            headers = @remote_headers.
-              reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
-
-            @file = Kernel.open(@uri.to_s, headers)
-            @file = @file.is_a?(String) ? StringIO.new(@file) : @file
+            if @skip_ssrf_protection
+              @file = (URI.respond_to?(:open) ? URI : Kernel).open(@uri.to_s, @remote_headers)
+              @file = @file.is_a?(String) ? StringIO.new(@file) : @file
+              @content_type = @file.content_type
+              @headers = @file.meta
+              @uri = @file.base_uri
+            else
+              request = nil
+              response = SsrfFilter.get(@uri, headers: @remote_headers) do |req|
+                request = req
+              end
+              response.value
+              @file = StringIO.new(response.body)
+              @content_type = response.content_type
+              @headers = response
+              @uri = request.uri
+            end
           end
           @file
 
@@ -50,14 +74,14 @@ module CarrierWave
         end
 
         def filename_from_header
-          if file.meta.include? 'content-disposition'
-            match = file.meta['content-disposition'].match(/filename="?([^"]+)/)
+          if headers['content-disposition']
+            match = headers['content-disposition'].match(/filename="?([^"]+)/)
             return match[1] unless match.nil? || match[1].empty?
           end
         end
 
         def filename_from_uri
-          URI.decode(File.basename(file.base_uri.path))
+          URI::DEFAULT_PARSER.unescape(File.basename(@uri.path))
         end
 
         def method_missing(*args, &block)
@@ -75,7 +99,7 @@ module CarrierWave
       #
       def download!(uri, remote_headers = {})
         processed_uri = process_uri(uri)
-        file = RemoteFile.new(processed_uri, remote_headers)
+        file = RemoteFile.new(processed_uri, remote_headers, skip_ssrf_protection: skip_ssrf_protection?(processed_uri))
         raise CarrierWave::DownloadError, "trying to download a file which is not served over HTTP" unless file.http?
         cache!(file)
       end
@@ -92,11 +116,30 @@ module CarrierWave
       rescue URI::InvalidURIError
         uri_parts = uri.split('?')
         # regexp from Ruby's URI::Parser#regexp[:UNSAFE], with [] specifically removed
-        encoded_uri = URI.encode(uri_parts.shift, /[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,]/)
-        encoded_uri << '?' << URI.encode(uri_parts.join('?')) if uri_parts.any?
+        encoded_uri = URI::DEFAULT_PARSER.escape(uri_parts.shift, /[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,]/)
+        encoded_uri << '?' << URI::DEFAULT_PARSER.escape(uri_parts.join('?')) if uri_parts.any?
         URI.parse(encoded_uri) rescue raise CarrierWave::DownloadError, "couldn't parse URL"
       end
 
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class MyUploader < CarrierWave::Uploader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
     end # Download
   end # Uploader
 end # CarrierWave

data/lib/carrierwave/version.rb

@@ -1,3 +1,3 @@
 module CarrierWave
-  VERSION = "1.2.3"
+  VERSION = "1.3.2"
 end

data/lib/carrierwave.rb

@@ -34,6 +34,26 @@ if defined?(Merb)
     Dir.glob(File.join(Merb.load_paths[:uploaders])).each {|f| require f }
   end
 
+elsif defined?(Jets)
+
+  module CarrierWave
+    class Turbine < Jets::Turbine
+      initializer "carrierwave.setup_paths" do |app|
+        CarrierWave.root = Jets.root.to_s
+        CarrierWave.tmp_path = "/tmp/carrierwave"
+        CarrierWave.configure do |config|
+          config.cache_dir = "/tmp/carrierwave/uploads/tmp"
+        end
+      end
+
+      initializer "carrierwave.active_record" do
+        ActiveSupport.on_load :active_record do
+          require 'carrierwave/orm/activerecord'
+        end
+      end
+    end
+  end
+
 elsif defined?(Rails)
 
   module CarrierWave

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: carrierwave
 version: !ruby/object:Gem::Version
-  version: 1.2.3
+  version: 1.3.2
 platform: ruby
 authors:
 - Jonas Nicklas
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-06-30 00:00:00.000000000 Z
+date: 2021-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: ssrf_filter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement
@@ -140,16 +154,16 @@ dependencies:
   name: fog-google
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: fog-local
   requirement: !ruby/object:Gem::Requirement
@@ -196,16 +210,16 @@ dependencies:
   name: rmagick
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.16'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -303,7 +317,7 @@ homepage: https://github.com/carrierwaveuploader/carrierwave
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--main"
 require_paths:
@@ -319,9 +333,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Ruby file upload library
 test_files: []