carrierwave 2.0.0.rc → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d930fb9703b4bdb5ec81e14a01a5f07a260f39b52caed16978f193ddfd73159
-  data.tar.gz: 83facb0af8dd50905b36510986a0215d3e6a03b765e83b6b063a6bc8ad7bbaf0
+  metadata.gz: 84145959d912145a2915ab7adb9ccbd6bf7a971ab00cef83fb7f5092c349c9c5
+  data.tar.gz: 9ba122388fb8ff36563001ea9144e4a1d523b7be78433fed2a971a82588de5c8
 SHA512:
-  metadata.gz: aa813176c7dca0e42e9e131d405eeec2324741c7dff79fc4ceed9c5d16dabb52d967f6e40a025fe431412d91e1cfcb9fd043655271de7d615938f89f9f075179
-  data.tar.gz: 16877c3b9ce32913719f0329b300bae18991de3d642702eed202639a2f9ecb0613e41c766f0ae9adf97d2d64247f86cb3cbdb47f75112542ba01dd82b3653539
+  metadata.gz: 70f718887e9f4223405d8f273cafaf429395725eead688918d454499a50063fdc748cc519440d2010f783cfa1ec3ba19f54b5e07dc644d195cbe6d59f1c5b6b2
+  data.tar.gz: 50907c92735e096c691a1ee7d440a2b83de736de3016b78c11796d0c558c283774236e5acf18abb552212816a38905986a6ec3ad0d956736f88c79ae99cd9aa6

data/README.md

@@ -30,7 +30,7 @@ $ gem install carrierwave
 In Rails, add it to your Gemfile:
 
 ```ruby
-gem 'carrierwave', '>= 2.0.0.rc', '< 3.0'
+gem 'carrierwave', '~> 2.0'
 ```
 
 Finally, restart the server to apply the changes.
@@ -332,15 +332,13 @@ end
 
 When this uploader is used, an uploaded image would be scaled to be no larger
 than 800 by 800 pixels. The original aspect ratio will be kept.
-A version called thumb is then created, which is scaled
-to exactly 200 by 200 pixels.
 
-If you would like to crop images to a specific height and width you
-can use the alternative option of '''resize_to_fill'''. It will make sure
+A version called `:thumb` is then created, which is scaled
+to exactly 200 by 200 pixels. The thumbnail uses `resize_to_fill` which makes sure
 that the width and height specified are filled, only cropping
 if the aspect ratio requires it.
 
-The uploader could be used like this:
+The above uploader could be used like this:
 
 ```ruby
 uploader = AvatarUploader.new
@@ -353,6 +351,18 @@ uploader.thumb.url # => '/url/to/thumb_my_file.png'   # size: 200x200
 One important thing to remember is that process is called *before* versions are
 created. This can cut down on processing cost.
 
+### Processing Methods: mini_magick
+
+- `convert` - Changes the image encoding format to the given format, eg. jpg
+- `resize_to_limit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. Will only resize the image if it is larger than the specified dimensions. The resulting image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. The image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fill` - Resize the image to fit within the specified dimensions while retaining the aspect ratio of the original image. If necessary, crop the image in the larger dimension. Optionally, a "gravity" may be specified, for example "Center", or "NorthEast".
+- `resize_and_pad` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. If necessary, will pad the remaining area with the given color, which defaults to transparent (for gif and png, white for jpeg). Optionally, a "gravity" may be specified, as above.
+
+See `carrierwave/processing/mini_magick.rb` for details.
+
+### Nested versions
+
 It is possible to nest versions within versions:
 
 ```ruby

data/lib/carrierwave/downloader/base.rb

@@ -1,4 +1,5 @@
 require 'open-uri'
+require 'ssrf_filter'
 require 'addressable'
 require 'carrierwave/downloader/remote_file'
 
@@ -22,12 +23,22 @@ module CarrierWave
       def download(url, remote_headers = {})
         headers = remote_headers.
           reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
         begin
-          file = OpenURI.open_uri(process_uri(url.to_s), headers)
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            response = SsrfFilter.get(uri, headers: headers) do |req|
+              request = req
+            end
+            response.uri = request.uri
+            response.value
+          end
         rescue StandardError => e
           raise CarrierWave::DownloadError, "could not download file: #{e.message}"
         end
-        CarrierWave::Downloader::RemoteFile.new(file)
+        CarrierWave::Downloader::RemoteFile.new(response)
       end
 
       ##
@@ -40,11 +51,33 @@ module CarrierWave
       def process_uri(uri)
         uri_parts = uri.split('?')
         encoded_uri = Addressable::URI.parse(uri_parts.shift).normalize.to_s
-        encoded_uri << '?' << URI.encode(uri_parts.join('?')) if uri_parts.any?
+        encoded_uri << '?' << Addressable::URI.encode(uri_parts.join('?')).gsub('%5B', '[').gsub('%5D', ']') if uri_parts.any?
         URI.parse(encoded_uri)
       rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
         raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
       end
+
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
     end
   end
 end

data/lib/carrierwave/downloader/remote_file.rb

@@ -1,15 +1,36 @@
 module CarrierWave
   module Downloader
     class RemoteFile
-      attr_reader :file
+      attr_reader :file, :uri
 
       def initialize(file)
-        @file = file.is_a?(String) ? StringIO.new(file) : file
+        case file
+        when String
+          @file = StringIO.new(file)
+        when Net::HTTPResponse
+          @file = StringIO.new(file.body)
+          @content_type = file.content_type
+          @headers = file
+          @uri = file.uri
+        else
+          @file = file
+          @content_type = file.content_type
+          @headers = file.meta
+          @uri = file.base_uri
+        end
+      end
+
+      def content_type
+        @content_type || 'application/octet-stream'
+      end
+
+      def headers
+        @headers || {}
       end
 
       def original_filename
         filename = filename_from_header || filename_from_uri
-        mime_type = MiniMime.lookup_by_content_type(file.content_type)
+        mime_type = MiniMime.lookup_by_content_type(content_type)
         unless File.extname(filename).present? || mime_type.blank?
           filename = "#{filename}.#{mime_type.extension}"
         end
@@ -23,14 +44,16 @@ module CarrierWave
       private
 
       def filename_from_header
-        if file.meta.include? 'content-disposition'
-          match = file.meta['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
-          match[1].presence || match[2].presence
-        end
+        return nil unless headers['content-disposition']
+
+        match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+        return nil unless match
+
+        match[1].presence || match[2].presence
       end
 
       def filename_from_uri
-        CGI.unescape(File.basename(file.base_uri.path))
+        CGI.unescape(File.basename(uri.path))
       end
 
       def method_missing(*args, &block)

data/lib/carrierwave/mounter.rb

@@ -72,9 +72,10 @@ module CarrierWave
     end
 
     def cache_names=(cache_names)
+      cache_names = cache_names.reject(&:blank?)
       return if cache_names.blank?
       clear_unstaged
-      cache_names.map do |cache_name|
+      cache_names.each do |cache_name|
         begin
           uploader = blank_uploader
           uploader.retrieve_from_cache!(cache_name)
@@ -91,7 +92,7 @@ module CarrierWave
       @remote_urls = urls
 
       clear_unstaged
-      urls.zip(remote_request_headers || []).map do |url, header|
+      urls.zip(remote_request_headers || []).each do |url, header|
         handle_error do
           uploader = blank_uploader
           uploader.download!(url, header || {})
@@ -113,7 +114,7 @@ module CarrierWave
     end
 
     def remove?
-      remove.present? && remove !~ /\A0|false$\z/
+      remove.present? && (remove == true || remove !~ /\A0|false$\z/)
     end
 
     def remove!

data/lib/carrierwave/processing/mini_magick.rb

@@ -297,7 +297,7 @@ module CarrierWave
 
       # backwards compatibility (we want to eventually move away from MiniMagick::Image)
       if block
-        image  = MiniMagick::Image.new(result.path, result)
+        image  = ::MiniMagick::Image.new(result.path, result)
         image  = block.call(image)
         result = image.instance_variable_get(:@tempfile)
       end

data/lib/carrierwave/processing/rmagick.rb

@@ -378,9 +378,15 @@ module CarrierWave
 
     def create_info_block(options)
       return nil unless options
-      assignments = options.map { |k, v| "self.#{k} = #{v}" }
-      code = "lambda { |img| " + assignments.join(";") + "}"
-      eval code
+      proc do |img|
+        options.each do |k, v|
+          if v.is_a?(String) && (matches = v.match(/^["'](.+)["']/))
+            ActiveSupport::Deprecation.warn "Passing quoted strings like #{v} to #manipulate! is deprecated, pass them without quoting."
+            v = matches[1]
+          end
+          img.public_send(:"#{k}=", v)
+        end
+      end
     end
 
     def destroy_image(image)

data/lib/carrierwave/sanitized_file.rb

@@ -305,7 +305,7 @@ module CarrierWave
     def mkdir!(path, directory_permissions)
       options = {}
       options[:mode] = directory_permissions if directory_permissions
-      FileUtils.mkdir_p(File.dirname(path), options) unless File.exist?(File.dirname(path))
+      FileUtils.mkdir_p(File.dirname(path), **options) unless File.exist?(File.dirname(path))
     end
 
     def chmod!(path, permissions)

data/lib/carrierwave/storage/fog.rb

@@ -161,6 +161,8 @@ module CarrierWave
       end
 
       class File
+        DEFAULT_S3_REGION = 'us-east-1'
+
         include CarrierWave::Utilities::Uri
 
         ##
@@ -194,7 +196,7 @@ module CarrierWave
         # [NilClass] no authenticated url available
         #
         def authenticated_url(options = {})
-          if ['AWS', 'Google', 'Rackspace', 'OpenStack', 'AzureRM', 'Aliyun'].include?(@uploader.fog_credentials[:provider])
+          if ['AWS', 'Google', 'Rackspace', 'OpenStack', 'AzureRM', 'Aliyun', 'backblaze'].include?(@uploader.fog_credentials[:provider])
             # avoid a get by using local references
             local_directory = connection.directories.new(:key => @uploader.fog_directory)
             local_file = local_directory.files.new(:key => path)
@@ -384,9 +386,15 @@ module CarrierWave
                 if valid_subdomain
                   s3_subdomain = @uploader.fog_aws_accelerate ? "s3-accelerate" : "s3"
                   "#{protocol}://#{@uploader.fog_directory}.#{s3_subdomain}.amazonaws.com/#{encoded_path}"
-                else
-                  # directory is not a valid subdomain, so use path style for access
-                  "#{protocol}://s3.amazonaws.com/#{@uploader.fog_directory}/#{encoded_path}"
+                else # directory is not a valid subdomain, so use path style for access
+                  region = @uploader.fog_credentials[:region].to_s
+                  host   = case region
+                           when DEFAULT_S3_REGION, ''
+                             's3.amazonaws.com'
+                           else
+                             "s3.#{region}.amazonaws.com"
+                           end
+                  "#{protocol}://#{host}/#{@uploader.fog_directory}/#{encoded_path}"
                 end
               end
             when 'Google'

data/lib/carrierwave/version.rb

@@ -1,3 +1,3 @@
 module CarrierWave
-  VERSION = "2.0.0.rc"
+  VERSION = "2.1.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: carrierwave
 version: !ruby/object:Gem::Version
-  version: 2.0.0.rc
+  version: 2.1.1
 platform: ruby
 authors:
 - Jonas Nicklas
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-06-23 00:00:00.000000000 Z
+date: 2021-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -94,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: ssrf_filter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement
@@ -347,7 +361,7 @@ homepage: https://github.com/carrierwaveuploader/carrierwave
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--main"
 require_paths:
@@ -359,13 +373,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.2.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Ruby file upload library
 test_files: []