carrierwave 2.1.0 → 2.1.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of carrierwave might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 84145959d912145a2915ab7adb9ccbd6bf7a971ab00cef83fb7f5092c349c9c5
|
4
|
+
data.tar.gz: 9ba122388fb8ff36563001ea9144e4a1d523b7be78433fed2a971a82588de5c8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 70f718887e9f4223405d8f273cafaf429395725eead688918d454499a50063fdc748cc519440d2010f783cfa1ec3ba19f54b5e07dc644d195cbe6d59f1c5b6b2
|
7
|
+
data.tar.gz: 50907c92735e096c691a1ee7d440a2b83de736de3016b78c11796d0c558c283774236e5acf18abb552212816a38905986a6ec3ad0d956736f88c79ae99cd9aa6
|
@@ -1,4 +1,5 @@
|
|
1
1
|
require 'open-uri'
|
2
|
+
require 'ssrf_filter'
|
2
3
|
require 'addressable'
|
3
4
|
require 'carrierwave/downloader/remote_file'
|
4
5
|
|
@@ -22,12 +23,22 @@ module CarrierWave
|
|
22
23
|
def download(url, remote_headers = {})
|
23
24
|
headers = remote_headers.
|
24
25
|
reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
|
26
|
+
uri = process_uri(url.to_s)
|
25
27
|
begin
|
26
|
-
|
28
|
+
if skip_ssrf_protection?(uri)
|
29
|
+
response = OpenURI.open_uri(process_uri(url.to_s), headers)
|
30
|
+
else
|
31
|
+
request = nil
|
32
|
+
response = SsrfFilter.get(uri, headers: headers) do |req|
|
33
|
+
request = req
|
34
|
+
end
|
35
|
+
response.uri = request.uri
|
36
|
+
response.value
|
37
|
+
end
|
27
38
|
rescue StandardError => e
|
28
39
|
raise CarrierWave::DownloadError, "could not download file: #{e.message}"
|
29
40
|
end
|
30
|
-
CarrierWave::Downloader::RemoteFile.new(
|
41
|
+
CarrierWave::Downloader::RemoteFile.new(response)
|
31
42
|
end
|
32
43
|
|
33
44
|
##
|
@@ -45,6 +56,28 @@ module CarrierWave
|
|
45
56
|
rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
|
46
57
|
raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
|
47
58
|
end
|
59
|
+
|
60
|
+
##
|
61
|
+
# If this returns true, SSRF protection will be bypassed.
|
62
|
+
# You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
|
63
|
+
#
|
64
|
+
# === Parameters
|
65
|
+
#
|
66
|
+
# [uri (URI)] The URI where the remote file is stored
|
67
|
+
#
|
68
|
+
# === Examples
|
69
|
+
#
|
70
|
+
# class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
|
71
|
+
# def skip_ssrf_protection?(uri)
|
72
|
+
# uri.hostname == 'localhost' && uri.port == 80
|
73
|
+
# end
|
74
|
+
# end
|
75
|
+
#
|
76
|
+
# my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
|
77
|
+
#
|
78
|
+
def skip_ssrf_protection?(uri)
|
79
|
+
false
|
80
|
+
end
|
48
81
|
end
|
49
82
|
end
|
50
83
|
end
|
@@ -1,15 +1,36 @@
|
|
1
1
|
module CarrierWave
|
2
2
|
module Downloader
|
3
3
|
class RemoteFile
|
4
|
-
attr_reader :file
|
4
|
+
attr_reader :file, :uri
|
5
5
|
|
6
6
|
def initialize(file)
|
7
|
-
|
7
|
+
case file
|
8
|
+
when String
|
9
|
+
@file = StringIO.new(file)
|
10
|
+
when Net::HTTPResponse
|
11
|
+
@file = StringIO.new(file.body)
|
12
|
+
@content_type = file.content_type
|
13
|
+
@headers = file
|
14
|
+
@uri = file.uri
|
15
|
+
else
|
16
|
+
@file = file
|
17
|
+
@content_type = file.content_type
|
18
|
+
@headers = file.meta
|
19
|
+
@uri = file.base_uri
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
def content_type
|
24
|
+
@content_type || 'application/octet-stream'
|
25
|
+
end
|
26
|
+
|
27
|
+
def headers
|
28
|
+
@headers || {}
|
8
29
|
end
|
9
30
|
|
10
31
|
def original_filename
|
11
32
|
filename = filename_from_header || filename_from_uri
|
12
|
-
mime_type = MiniMime.lookup_by_content_type(
|
33
|
+
mime_type = MiniMime.lookup_by_content_type(content_type)
|
13
34
|
unless File.extname(filename).present? || mime_type.blank?
|
14
35
|
filename = "#{filename}.#{mime_type.extension}"
|
15
36
|
end
|
@@ -23,16 +44,16 @@ module CarrierWave
|
|
23
44
|
private
|
24
45
|
|
25
46
|
def filename_from_header
|
26
|
-
return nil unless
|
47
|
+
return nil unless headers['content-disposition']
|
27
48
|
|
28
|
-
match =
|
49
|
+
match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
|
29
50
|
return nil unless match
|
30
51
|
|
31
52
|
match[1].presence || match[2].presence
|
32
53
|
end
|
33
54
|
|
34
55
|
def filename_from_uri
|
35
|
-
CGI.unescape(File.basename(
|
56
|
+
CGI.unescape(File.basename(uri.path))
|
36
57
|
end
|
37
58
|
|
38
59
|
def method_missing(*args, &block)
|
@@ -378,9 +378,15 @@ module CarrierWave
|
|
378
378
|
|
379
379
|
def create_info_block(options)
|
380
380
|
return nil unless options
|
381
|
-
|
382
|
-
|
383
|
-
|
381
|
+
proc do |img|
|
382
|
+
options.each do |k, v|
|
383
|
+
if v.is_a?(String) && (matches = v.match(/^["'](.+)["']/))
|
384
|
+
ActiveSupport::Deprecation.warn "Passing quoted strings like #{v} to #manipulate! is deprecated, pass them without quoting."
|
385
|
+
v = matches[1]
|
386
|
+
end
|
387
|
+
img.public_send(:"#{k}=", v)
|
388
|
+
end
|
389
|
+
end
|
384
390
|
end
|
385
391
|
|
386
392
|
def destroy_image(image)
|
data/lib/carrierwave/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: carrierwave
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.1.
|
4
|
+
version: 2.1.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jonas Nicklas
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-02-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -94,6 +94,20 @@ dependencies:
|
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '2.6'
|
97
|
+
- !ruby/object:Gem::Dependency
|
98
|
+
name: ssrf_filter
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
100
|
+
requirements:
|
101
|
+
- - "~>"
|
102
|
+
- !ruby/object:Gem::Version
|
103
|
+
version: '1.0'
|
104
|
+
type: :runtime
|
105
|
+
prerelease: false
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
107
|
+
requirements:
|
108
|
+
- - "~>"
|
109
|
+
- !ruby/object:Gem::Version
|
110
|
+
version: '1.0'
|
97
111
|
- !ruby/object:Gem::Dependency
|
98
112
|
name: pg
|
99
113
|
requirement: !ruby/object:Gem::Requirement
|
@@ -347,7 +361,7 @@ homepage: https://github.com/carrierwaveuploader/carrierwave
|
|
347
361
|
licenses:
|
348
362
|
- MIT
|
349
363
|
metadata: {}
|
350
|
-
post_install_message:
|
364
|
+
post_install_message:
|
351
365
|
rdoc_options:
|
352
366
|
- "--main"
|
353
367
|
require_paths:
|
@@ -363,8 +377,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
363
377
|
- !ruby/object:Gem::Version
|
364
378
|
version: '0'
|
365
379
|
requirements: []
|
366
|
-
rubygems_version: 3.
|
367
|
-
signing_key:
|
380
|
+
rubygems_version: 3.1.2
|
381
|
+
signing_key:
|
368
382
|
specification_version: 4
|
369
383
|
summary: Ruby file upload library
|
370
384
|
test_files: []
|