carrierwave 1.3.4 → 2.0.0.rc

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8424c8e8238faa3fd7fda7424149843ad11dc06e7704e55412a905c765ac0a0c
-  data.tar.gz: ecef054ec6f134badaaffbc406794ad3642e000e8a8623d9e63655e726ea2c7c
+  metadata.gz: 8d930fb9703b4bdb5ec81e14a01a5f07a260f39b52caed16978f193ddfd73159
+  data.tar.gz: 83facb0af8dd50905b36510986a0215d3e6a03b765e83b6b063a6bc8ad7bbaf0
 SHA512:
-  metadata.gz: 5d01517bae4bca3457d5576739c51fa2c9ba0ca54a72060b0c673268ae6dc8199f309891c4bc5212ec64019055a0ea40fe853a208ec74cbaf5cc325c4f8888ab
-  data.tar.gz: edc2a20b818d2cdbabb71aee399de99a08ed6a95096e6e634c6213403368704b0871b88ff81d0ec6f1b0dd7661c4bec9dc78c524105bf6ecdb6e28e1f30028b7
+  metadata.gz: aa813176c7dca0e42e9e131d405eeec2324741c7dff79fc4ceed9c5d16dabb52d967f6e40a025fe431412d91e1cfcb9fd043655271de7d615938f89f9f075179
+  data.tar.gz: 16877c3b9ce32913719f0329b300bae18991de3d642702eed202639a2f9ecb0613e41c766f0ae9adf97d2d64247f86cb3cbdb47f75112542ba01dd82b3653539

data/README.md

@@ -30,13 +30,13 @@ $ gem install carrierwave
 In Rails, add it to your Gemfile:
 
 ```ruby
-gem 'carrierwave', '~> 1.0'
+gem 'carrierwave', '>= 2.0.0.rc', '< 3.0'
 ```
 
 Finally, restart the server to apply the changes.
 
-As of version 1.0, CarrierWave requires Rails 4.0 or higher and Ruby 2.0
-or higher. If you're on Rails 3, you should use v0.11.0.
+As of version 2.0, CarrierWave requires Rails 5.0 or higher and Ruby 2.2
+or higher. If you're on Rails 4, you should use 1.x.
 
 ## Getting Started
 
@@ -190,6 +190,17 @@ u.avatars[0].current_path # => 'path/to/file.png'
 u.avatars[0].identifier # => 'file.png'
 ```
 
+If you want to preserve existing files on uploading new one, you can go like:
+
+```erb
+<% user.avatars.each do |avatar| %>
+  <%= hidden_field :user, :avatars, multiple: true, value: avatar.identifier %>
+<% end %>
+<%= form.file_field :avatars, multiple: true %>
+```
+
+Sorting avatars is supported as well by reordering `hidden_field`, an example using jQuery UI Sortable is available [here](https://github.com/carrierwaveuploader/carrierwave/wiki/How-to%3A-Add%2C-remove-and-reorder-images-using-multiple-file-upload).
+
 ## Changing the storage directory
 
 In order to change where uploaded files are put, just override the `store_dir`
@@ -255,6 +266,22 @@ class NoJsonUploader < CarrierWave::Uploader::Base
 end
 ```
 
+### CVE-2016-3714 (ImageTragick)
+This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a content_type_whitelist in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
+
+
+A valid whitelist that will restrict your uploader to images only, and mitigate the CVE is:
+
+```ruby
+class MyUploader < CarrierWave::Uploader::Base
+  def content_type_whitelist
+    [/image\//]
+  end
+end
+```
+
+**WARNING**: A `content_type_whitelist` is the only form of whitelist or blacklist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_whitelist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
+
 ### Filenames and unicode chars
 
 Another security issue you should care for is the file names (see
@@ -280,7 +307,7 @@ You no longer need to do this manually.
 
 Often you'll want to add different versions of the same file. The classic example is image thumbnails. There is built in support for this*:
 
-*Note:* You must have Imagemagick and MiniMagick installed to do image resizing. MiniMagick is a Ruby interface for Imagemagick which is a C program. This is why MiniMagick fails on 'bundle install' without Imagemagick installed.
+*Note:* You must have Imagemagick installed to do image resizing.
 
 Some documentation refers to RMagick instead of MiniMagick but MiniMagick is recommended.
 
@@ -362,7 +389,7 @@ private
   end
 
   def is_landscape? picture
-    image = MiniMagick::Image.open(picture.path)
+    image = MiniMagick::Image.new(picture.path)
     image[:width] > image[:height]
   end
 
@@ -651,7 +678,6 @@ If you want to use fog you must add in your CarrierWave initializer the
 following lines
 
 ```ruby
-config.fog_provider = 'fog' # 'fog/aws' etc. Defaults to 'fog'
 config.fog_credentials = { ... } # Provider specific credentials
 ```
 
@@ -669,7 +695,6 @@ You can also pass in additional options, as documented fully in lib/carrierwave/
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = 'fog/aws'                        # required
   config.fog_credentials = {
     provider:              'AWS',                        # required
     aws_access_key_id:     'xxx',                        # required unless using use_iam_profile
@@ -695,6 +720,14 @@ end
 
 That's it! You can still use the `CarrierWave::Uploader#url` method to return the url to the file on Amazon S3.
 
+**Note**: for Carrierwave to work properly it needs credentials with the following permissions:
+
+* `s3:ListBucket`
+* `s3:PutObject`
+* `s3:GetObject`
+* `s3:DeleteObject`
+* `s3:PutObjectAcl`
+
 ## Using Rackspace Cloud Files
 
 [Fog](http://github.com/fog/fog) is used to support Rackspace Cloud Files. Ensure you have it in your Gemfile:
@@ -710,7 +743,6 @@ Using a US-based account:
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = "fog/rackspace/storage"   # optional, defaults to "fog"
   config.fog_credentials = {
     provider:           'Rackspace',
     rackspace_username: 'xxxxxx',
@@ -725,7 +757,6 @@ Using a UK-based account:
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = "fog/rackspace/storage"   # optional, defaults to "fog"
   config.fog_credentials = {
     provider:           'Rackspace',
     rackspace_username: 'xxxxxx',
@@ -774,7 +805,6 @@ Please read the [fog-google README](https://github.com/fog/fog-google/blob/maste
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = 'fog/google'                        # required
   config.fog_credentials = {
     provider:                         'Google',
     google_storage_access_key_id:     'xxxxxx',
@@ -871,8 +901,8 @@ manipulation methods.
 
 ## Using MiniMagick
 
-MiniMagick is similar to RMagick but performs all the operations using the 'mogrify'
-command which is part of the standard ImageMagick kit. This allows you to have the power
+MiniMagick is similar to RMagick but performs all the operations using the 'convert'
+CLI which is part of the standard ImageMagick kit. This allows you to have the power
 of ImageMagick without having to worry about installing all the RMagick libraries.
 
 See the MiniMagick site for more details:

data/lib/carrierwave/downloader/base.rb

@@ -0,0 +1,50 @@
+require 'open-uri'
+require 'addressable'
+require 'carrierwave/downloader/remote_file'
+
+module CarrierWave
+  module Downloader
+    class Base
+      attr_reader :uploader
+
+      def initialize(uploader)
+        @uploader = uploader
+      end
+
+      ##
+      # Downloads a file from given URL and returns a RemoteFile.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
+      #
+      def download(url, remote_headers = {})
+        headers = remote_headers.
+          reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        begin
+          file = OpenURI.open_uri(process_uri(url.to_s), headers)
+        rescue StandardError => e
+          raise CarrierWave::DownloadError, "could not download file: #{e.message}"
+        end
+        CarrierWave::Downloader::RemoteFile.new(file)
+      end
+
+      ##
+      # Processes the given URL by parsing and escaping it. Public to allow overriding.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      #
+      def process_uri(uri)
+        uri_parts = uri.split('?')
+        encoded_uri = Addressable::URI.parse(uri_parts.shift).normalize.to_s
+        encoded_uri << '?' << URI.encode(uri_parts.join('?')) if uri_parts.any?
+        URI.parse(encoded_uri)
+      rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
+        raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
+      end
+    end
+  end
+end

data/lib/carrierwave/downloader/remote_file.rb

@@ -0,0 +1,42 @@
+module CarrierWave
+  module Downloader
+    class RemoteFile
+      attr_reader :file
+
+      def initialize(file)
+        @file = file.is_a?(String) ? StringIO.new(file) : file
+      end
+
+      def original_filename
+        filename = filename_from_header || filename_from_uri
+        mime_type = MiniMime.lookup_by_content_type(file.content_type)
+        unless File.extname(filename).present? || mime_type.blank?
+          filename = "#{filename}.#{mime_type.extension}"
+        end
+        filename
+      end
+
+      def respond_to?(*args)
+        super || file.respond_to?(*args)
+      end
+
+      private
+
+      def filename_from_header
+        if file.meta.include? 'content-disposition'
+          match = file.meta['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+          match[1].presence || match[2].presence
+        end
+      end
+
+      def filename_from_uri
+        CGI.unescape(File.basename(file.base_uri.path))
+      end
+
+      def method_missing(*args, &block)
+        file.send(*args, &block)
+      end
+    end
+  end
+end
+

data/lib/carrierwave/mount.rb

@@ -174,17 +174,26 @@ module CarrierWave
           return if frozen?
           mounter = _mounter(:#{column})
 
-          if mounter.remove?
-            write_uploader(mounter.serialization_column, nil)
-          elsif mounter.identifiers.first
-            write_uploader(mounter.serialization_column, mounter.identifiers.first)
-          end
+          mounter.clear! if mounter.remove?
+          write_uploader(mounter.serialization_column, mounter.identifiers.first)
         end
 
         def #{column}_identifier
           _mounter(:#{column}).read_identifiers[0]
         end
 
+        def #{column}_integrity_error
+          #{column}_integrity_errors.last
+        end
+
+        def #{column}_processing_error
+          #{column}_processing_errors.last
+        end
+
+        def #{column}_download_error
+          #{column}_download_errors.last
+        end
+
         def store_previous_changes_for_#{column}
           attribute_changes = ::ActiveRecord.version.to_s.to_f >= 5.1 ? saved_changes : changes
           @_previous_changes_for_#{column} = attribute_changes[_mounter(:#{column}).serialization_column]
@@ -240,9 +249,9 @@ module CarrierWave
     # [store_images!]           Stores all files that have been assigned with +images=+
     # [remove_images!]          Removes the uploaded file from the filesystem.
     #
-    # [images_integrity_error]  Returns an error object if the last files to be assigned caused an integrity error
-    # [images_processing_error] Returns an error object if the last files to be assigned caused a processing error
-    # [images_download_error]   Returns an error object if the last files to be remotely assigned caused a download error
+    # [image_integrity_errors]   Returns error objects of files which failed to pass integrity check
+    # [image_processing_errors]  Returns error objects of files which failed to be processed
+    # [image_download_errors]    Returns error objects of files which failed to be downloaded
     #
     # [image_identifiers]       Reads out the identifiers of the files
     #
@@ -329,11 +338,8 @@ module CarrierWave
           return if frozen?
           mounter = _mounter(:#{column})
 
-          if mounter.remove?
-            write_uploader(mounter.serialization_column, nil)
-          elsif mounter.identifiers.any?
-            write_uploader(mounter.serialization_column, mounter.identifiers)
-          end
+          mounter.clear! if mounter.remove?
+          write_uploader(mounter.serialization_column, mounter.identifiers.presence)
         end
 
         def #{column}_identifiers
@@ -395,16 +401,16 @@ module CarrierWave
           _mounter(:#{column}).store!
         end
 
-        def #{column}_integrity_error
-          _mounter(:#{column}).integrity_error
+        def #{column}_integrity_errors
+          _mounter(:#{column}).integrity_errors
         end
 
-        def #{column}_processing_error
-          _mounter(:#{column}).processing_error
+        def #{column}_processing_errors
+          _mounter(:#{column}).processing_errors
         end
 
-        def #{column}_download_error
-          _mounter(:#{column}).download_error
+        def #{column}_download_errors
+          _mounter(:#{column}).download_errors
         end
 
         def mark_remove_#{column}_false

data/lib/carrierwave/mounter.rb

@@ -3,14 +3,17 @@ module CarrierWave
   # this is an internal class, used by CarrierWave::Mount so that
   # we don't pollute the model with a lot of methods.
   class Mounter #:nodoc:
-    attr_reader :column, :record, :remote_urls, :integrity_error,
-      :processing_error, :download_error
+    attr_reader :column, :record, :remote_urls, :integrity_errors,
+      :processing_errors, :download_errors
     attr_accessor :remove, :remote_request_headers
 
     def initialize(record, column, options={})
       @record = record
       @column = column
       @options = record.class.uploader_options[column]
+      @download_errors = []
+      @processing_errors = []
+      @integrity_errors = []
     end
 
     def uploader_class
@@ -38,21 +41,30 @@ module CarrierWave
     end
 
     def cache(new_files)
-      return if not new_files or new_files == ""
+      return if !new_files.is_a?(Array) && new_files.blank?
+      old_uploaders = uploaders
       @uploaders = new_files.map do |new_file|
-        uploader = blank_uploader
-        uploader.cache!(new_file)
-        uploader
-      end
-
-      @integrity_error = nil
-      @processing_error = nil
-    rescue CarrierWave::IntegrityError => e
-      @integrity_error = e
-      raise e unless option(:ignore_integrity_errors)
-    rescue CarrierWave::ProcessingError => e
-      @processing_error = e
-      raise e unless option(:ignore_processing_errors)
+        handle_error do
+          if new_file.is_a?(String)
+            if (uploader = old_uploaders.detect { |uploader| uploader.identifier == new_file })
+              uploader.staged = true
+              uploader
+            else
+              begin
+                uploader = blank_uploader
+                uploader.retrieve_from_cache!(new_file)
+                uploader
+              rescue CarrierWave::InvalidParameter
+                nil
+              end
+            end
+          else
+            uploader = blank_uploader
+            uploader.cache!(new_file)
+            uploader
+          end
+        end
+      end.compact
     end
 
     def cache_names
@@ -60,45 +72,36 @@ module CarrierWave
     end
 
     def cache_names=(cache_names)
-      return if not cache_names or cache_names == "" or uploaders.any?(&:cached?)
-      @uploaders = cache_names.map do |cache_name|
-        uploader = blank_uploader
-        uploader.retrieve_from_cache!(cache_name)
-        uploader
+      return if cache_names.blank?
+      clear_unstaged
+      cache_names.map do |cache_name|
+        begin
+          uploader = blank_uploader
+          uploader.retrieve_from_cache!(cache_name)
+          @uploaders << uploader
+        rescue CarrierWave::InvalidParameter
+          # ignore
+        end
       end
-    rescue CarrierWave::InvalidParameter
     end
 
     def remote_urls=(urls)
-      return if not urls or urls == "" or urls.all?(&:blank?)
+      return if urls.blank? || urls.all?(&:blank?)
 
       @remote_urls = urls
-      @download_error = nil
-      @integrity_error = nil
 
-      @uploaders = urls.zip(remote_request_headers || []).map do |url, header|
-        uploader = blank_uploader
-        uploader.download!(url, header || {})
-        uploader
+      clear_unstaged
+      urls.zip(remote_request_headers || []).map do |url, header|
+        handle_error do
+          uploader = blank_uploader
+          uploader.download!(url, header || {})
+          @uploaders << uploader
+        end
       end
-
-    rescue CarrierWave::DownloadError => e
-      @download_error = e
-      raise e unless option(:ignore_download_errors)
-    rescue CarrierWave::ProcessingError => e
-      @processing_error = e
-      raise e unless option(:ignore_processing_errors)
-    rescue CarrierWave::IntegrityError => e
-      @integrity_error = e
-      raise e unless option(:ignore_integrity_errors)
     end
 
     def store!
-      if remove?
-        remove!
-      else
-        uploaders.reject(&:blank?).each(&:store!)
-      end
+      uploaders.reject(&:blank?).each(&:store!)
     end
 
     def urls(*args)
@@ -110,7 +113,7 @@ module CarrierWave
     end
 
     def remove?
-      remove.present? && (remove == true || remove !~ /\A0|false$\z/)
+      remove.present? && remove !~ /\A0|false$\z/
     end
 
     def remove!
@@ -118,6 +121,10 @@ module CarrierWave
       @uploaders = []
     end
 
+    def clear!
+      @uploaders = []
+    end
+
     def serialization_column
       option(:mount_on) || column
     end
@@ -146,9 +153,7 @@ module CarrierWave
         end.path
       end
       before.each do |uploader|
-        if uploader.remove_previously_stored_files_after_update and not after_paths.include?(uploader.path)
-          uploader.remove!
-        end
+        uploader.remove! if uploader.remove_previously_stored_files_after_update && !after_paths.include?(uploader.path)
       end
     end
 
@@ -161,5 +166,22 @@ module CarrierWave
       self.uploader_options[name] ||= record.class.uploader_option(column, name)
     end
 
+    def clear_unstaged
+      @uploaders ||= []
+      @uploaders.keep_if(&:staged)
+    end
+
+    def handle_error
+      yield
+    rescue CarrierWave::DownloadError => e
+      @download_errors << e
+      raise e unless option(:ignore_download_errors)
+    rescue CarrierWave::ProcessingError => e
+      @processing_errors << e
+      raise e unless option(:ignore_processing_errors)
+    rescue CarrierWave::IntegrityError => e
+      @integrity_errors << e
+      raise e unless option(:ignore_integrity_errors)
+    end
   end # Mounter
 end # CarrierWave

data/lib/carrierwave/orm/activerecord.rb

@@ -12,7 +12,9 @@ module CarrierWave
     def mount_uploader(column, uploader=nil, options={}, &block)
       super
 
-      class_eval <<-RUBY, __FILE__, __LINE__+1
+      mod = Module.new
+      prepend mod
+      mod.class_eval <<-RUBY, __FILE__, __LINE__+1
         def remote_#{column}_url=(url)
           column = _mounter(:#{column}).serialization_column
           __send__(:"\#{column}_will_change!")
@@ -27,7 +29,9 @@ module CarrierWave
     def mount_uploaders(column, uploader=nil, options={}, &block)
       super
 
-      class_eval <<-RUBY, __FILE__, __LINE__+1
+      mod = Module.new
+      prepend mod
+      mod.class_eval <<-RUBY, __FILE__, __LINE__+1
         def remote_#{column}_urls=(url)
           column = _mounter(:#{column}).serialization_column
           __send__(:"\#{column}_will_change!")
@@ -52,15 +56,16 @@ module CarrierWave
       validates_processing_of column if uploader_option(column.to_sym, :validate_processing)
       validates_download_of column if uploader_option(column.to_sym, :validate_download)
 
-      after_save :"store_#{column}!"
       before_save :"write_#{column}_identifier"
+      after_save :"store_previous_changes_for_#{column}"
       after_commit :"remove_#{column}!", :on => :destroy
       after_commit :"mark_remove_#{column}_false", :on => :update
-
-      after_save :"store_previous_changes_for_#{column}"
       after_commit :"remove_previously_stored_#{column}", :on => :update
+      after_commit :"store_#{column}!", :on => [:create, :update]
 
-      class_eval <<-RUBY, __FILE__, __LINE__+1
+      mod = Module.new
+      prepend mod
+      mod.class_eval <<-RUBY, __FILE__, __LINE__+1
         def #{column}=(new_file)
           column = _mounter(:#{column}).serialization_column
           if !(new_file.blank? && __send__(:#{column}).blank?)
@@ -72,8 +77,9 @@ module CarrierWave
 
         def remove_#{column}=(value)
           column = _mounter(:#{column}).serialization_column
-          __send__(:"\#{column}_will_change!")
-          super
+          result = super
+          __send__(:"\#{column}_will_change!") if _mounter(:#{column}).remove?
+          result
         end
 
         def remove_#{column}!