carrierwave 0.11.0 → 0.11.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of carrierwave might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/README.md +16 -0
- data/lib/carrierwave/sanitized_file.rb +21 -6
- data/lib/carrierwave/storage.rb +5 -3
- data/lib/carrierwave/storage/fog.rb +0 -2
- data/lib/carrierwave/version.rb +1 -1
- metadata +17 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 53da23e707788e0f5ebe68c6d77bf5fbe8e0cff4
|
|
4
|
+
data.tar.gz: 6fb8dc63a96871a884fdf2b5931aadbe3b7c1766
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 18558766d40c6d41d42a5aab1ab486998102c9bb00dba031f005c500f85e045315924614e8b2ca3169ba78ea5d9998263bf4c7832629e9f0dfd03c9e1670b64c
|
|
7
|
+
data.tar.gz: 20f9644c4157dec516f579c45380b98e3aaa5f9859af18a74cb2fc3970fe6fb57b55d5f1068e3eca465983df1dba471e2b8fb1fb852b1f8c01f37a2f731d3cab
|
data/README.md
CHANGED
|
@@ -161,6 +161,22 @@ class MyUploader < CarrierWave::Uploader::Base
|
|
|
161
161
|
end
|
|
162
162
|
```
|
|
163
163
|
|
|
164
|
+
### CVE-2016-3714 (ImageTragick)
|
|
165
|
+
This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a `content_type_whitelist` in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
|
|
166
|
+
|
|
167
|
+
A valid whitelist that will restrict your uploader to images only, and mitigate the CVE is:
|
|
168
|
+
|
|
169
|
+
```ruby
|
|
170
|
+
class MyUploader < CarrierWave::Uploader::Base
|
|
171
|
+
def content_type_whitelist
|
|
172
|
+
[/image\//]
|
|
173
|
+
end
|
|
174
|
+
end
|
|
175
|
+
```
|
|
176
|
+
|
|
177
|
+
**WARNING**: A `content_type_whitelist` is the only form of whitelist or blacklist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_type_whitelist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
|
|
178
|
+
|
|
179
|
+
|
|
164
180
|
### Filenames and unicode chars
|
|
165
181
|
|
|
166
182
|
Another security issue you should care for is the file names (see
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
require 'pathname'
|
|
4
4
|
require 'active_support/core_ext/string/multibyte'
|
|
5
5
|
require 'mime/types'
|
|
6
|
+
require 'mimemagic'
|
|
6
7
|
|
|
7
8
|
module CarrierWave
|
|
8
9
|
|
|
@@ -244,12 +245,10 @@ module CarrierWave
|
|
|
244
245
|
# [String] the content type of the file
|
|
245
246
|
#
|
|
246
247
|
def content_type
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
@content_type = ::MIME::Types.type_for(path).first.to_s
|
|
252
|
-
end
|
|
248
|
+
@content_type ||=
|
|
249
|
+
existing_content_type ||
|
|
250
|
+
mime_magic_content_type ||
|
|
251
|
+
mime_types_content_type
|
|
253
252
|
end
|
|
254
253
|
|
|
255
254
|
##
|
|
@@ -309,6 +308,22 @@ module CarrierWave
|
|
|
309
308
|
return name.mb_chars.to_s
|
|
310
309
|
end
|
|
311
310
|
|
|
311
|
+
def existing_content_type
|
|
312
|
+
if @file.respond_to?(:content_type) && @file.content_type
|
|
313
|
+
@file.content_type.to_s.chomp
|
|
314
|
+
end
|
|
315
|
+
end
|
|
316
|
+
|
|
317
|
+
def mime_magic_content_type
|
|
318
|
+
MimeMagic.by_magic(File.open(path)).try(:type) if path
|
|
319
|
+
rescue Errno::ENOENT
|
|
320
|
+
nil
|
|
321
|
+
end
|
|
322
|
+
|
|
323
|
+
def mime_types_content_type
|
|
324
|
+
::MIME::Types.type_for(path).first.to_s if path
|
|
325
|
+
end
|
|
326
|
+
|
|
312
327
|
def split_extension(filename)
|
|
313
328
|
# regular expressions to try for identifying extensions
|
|
314
329
|
extension_matchers = [
|
data/lib/carrierwave/storage.rb
CHANGED
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
require "carrierwave/storage/abstract"
|
|
2
2
|
require "carrierwave/storage/file"
|
|
3
3
|
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
4
|
+
%w(aws google openstack rackspace).each do |fog_dependency|
|
|
5
|
+
begin
|
|
6
|
+
require "fog/#{fog_dependency}"
|
|
7
|
+
rescue LoadError
|
|
8
|
+
end
|
|
7
9
|
end
|
|
8
10
|
|
|
9
11
|
require "carrierwave/storage/fog" if defined?(Fog)
|
data/lib/carrierwave/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: carrierwave
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.11.
|
|
4
|
+
version: 0.11.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jonas Nicklas
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-05-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -66,6 +66,20 @@ dependencies:
|
|
|
66
66
|
- - ">="
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
68
|
version: '1.16'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: mimemagic
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - ">="
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: 0.3.0
|
|
76
|
+
type: :runtime
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - ">="
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: 0.3.0
|
|
69
83
|
- !ruby/object:Gem::Dependency
|
|
70
84
|
name: pg
|
|
71
85
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -332,7 +346,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
332
346
|
version: '0'
|
|
333
347
|
requirements: []
|
|
334
348
|
rubyforge_project: carrierwave
|
|
335
|
-
rubygems_version: 2.4.
|
|
349
|
+
rubygems_version: 2.4.5.1
|
|
336
350
|
signing_key:
|
|
337
351
|
specification_version: 3
|
|
338
352
|
summary: Ruby file upload library
|