dragonfly 0.9.13 → 0.9.14

data/History.md

@@ -1,3 +1,15 @@
+0.9.14 (2013-02-13)
+===================
+Features
+--------
+- Attachment#b64_data
+
+Fixes
+-----
+- Fix '+' character being converted to ' ' (revert to URI.escape instead of Rack::Utils.escape)
+- Support old-style deprecated urls (with a check for malicious ones)
+- Handle case where uid is an empty string
+
 0.9.13 (2013-01-30)
 ===================
 Changes

data/README.md

@@ -13,7 +13,7 @@ For the lazy Rails user...
 
 ```ruby
 gem 'rack-cache', :require => 'rack/cache'
-gem 'dragonfly', '~>0.9.13'
+gem 'dragonfly', '~>0.9.14'
 ```
 
 **Initializer** (e.g. config/initializers/dragonfly.rb):

data/VERSION

@@ -1 +1 @@
-0.9.13
+0.9.14

data/dragonfly.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "dragonfly"
-  s.version = "0.9.13"
+  s.version = "0.9.14"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Mark Evans"]
-  s.date = "2013-01-30"
+  s.date = "2013-02-13"
   s.description = "Dragonfly is a framework that enables on-the-fly processing for any content type.\n  It is especially suited to image handling. Its uses range from image thumbnails to standard attachments to on-demand text generation."
   s.email = "mark@new-bamboo.co.uk"
   s.extra_rdoc_files = [
@@ -178,6 +178,7 @@ Gem::Specification.new do |s|
     "spec/functional/remote_on_the_fly_spec.rb",
     "spec/functional/shell_commands_spec.rb",
     "spec/functional/to_response_spec.rb",
+    "spec/functional/urls_spec.rb",
     "spec/spec_helper.rb",
     "spec/support/argument_matchers.rb",
     "spec/support/image_matchers.rb",

data/extra_docs/Rails3.md

@@ -35,7 +35,7 @@ application.rb:
 Gemfile
 -------
 
-    gem 'dragonfly', '~>0.9.13'
+    gem 'dragonfly', '~>0.9.14'
     gem 'rack-cache', :require => 'rack/cache'
 
 Capistrano

data/lib/dragonfly/active_model_extensions/attachment.rb

@@ -11,7 +11,7 @@ module Dragonfly
 
       extend Forwardable
       def_delegators :job,
-        :data, :to_file, :file, :tempfile, :path,
+        :data, :b64_data, :to_file, :file, :tempfile, :path,
         :process, :encode, :analyse,
         :meta, :meta=,
         :name, :size,
@@ -20,11 +20,11 @@ module Dragonfly
       include HasFilename
 
       alias_method :length, :size
-      
+
       def initialize(model)
         @model = model
         self.uid = model_uid
-        set_job_from_uid if uid
+        set_job_from_uid if uid?
         @should_run_callbacks = true
         self.class.ensure_uses_cached_magic_attributes
       end
@@ -32,7 +32,7 @@ module Dragonfly
       def app
         self.class.app
       end
-      
+
       def attribute
         self.class.attribute
       end
@@ -66,7 +66,7 @@ module Dragonfly
 
       def destroy!
         destroy_previous!
-        destroy_content(uid) if uid
+        destroy_content(uid) if uid?
       end
 
       def save!
@@ -95,18 +95,18 @@ module Dragonfly
         assign(encode(*args))
         self
       end
-      
+
       def remote_url(opts={})
-        app.remote_url_for(uid, opts) if uid
+        app.remote_url_for(uid, opts) if uid?
       end
-      
+
       def apply
         job.apply
         self
       end
 
       attr_writer :should_run_callbacks
-      
+
       def should_run_callbacks?
         !!@should_run_callbacks
       end
@@ -121,26 +121,26 @@ module Dragonfly
       end
 
       attr_writer :should_retain
-      
+
       def should_retain?
         !!@should_retain
       end
-      
+
       def retained?
         !!@retained
       end
-      
+
       def destroy_retained!
         destroy_content(retained_attrs[:uid])
       end
-      
+
       def retained_attrs
         attribute_keys.inject({}) do |hash, key|
           hash[key] = send(key)
           hash
         end if retained?
       end
-      
+
       def retained_attrs=(attrs)
         if changed? # if already set, ignore and destroy this retained content
           destroy_content(attrs[:uid])
@@ -156,7 +156,7 @@ module Dragonfly
           self.retained = true
         end
       end
-      
+
       def inspect
         "<Dragonfly Attachment uid=#{uid.inspect}, app=#{app.name.inspect}>"
       end
@@ -187,7 +187,7 @@ module Dragonfly
       end
 
       def destroy_previous!
-        if previous_uid
+        if previous_uid?
           destroy_content(previous_uid)
           self.previous_uid = nil
         end
@@ -217,7 +217,7 @@ module Dragonfly
         meth = "#{attribute}_uid_will_change!"
         model.send(meth) if model.respond_to?(meth)
       end
-      
+
       attr_reader :model, :uid
       attr_writer :job
       attr_accessor :previous_uid
@@ -227,6 +227,14 @@ module Dragonfly
         @uid = uid
       end
 
+      def uid?
+        !uid.nil? && !uid.empty?
+      end
+
+      def previous_uid?
+         !previous_uid.nil? && !previous_uid.empty?
+      end
+
       def magic_attributes
         self.class.magic_attributes
       end
@@ -264,11 +272,11 @@ module Dragonfly
           :model_attachment => attribute
         }
       end
-      
+
       def all_extra_attributes
         magic_attributes_hash.merge(extra_attributes)
       end
-      
+
       def set_job_from_uid
         self.job = app.fetch(uid)
         job.url_attrs = all_extra_attributes
@@ -276,4 +284,4 @@ module Dragonfly
 
     end
   end
-end
+end

data/lib/dragonfly/job.rb

@@ -160,19 +160,24 @@ module Dragonfly
 
       def from_a(steps_array, app)
         unless steps_array.is_a?(Array) &&
-               steps_array.all?{|s| s.is_a?(Array) && step_abbreviations[s.first] }
+               steps_array.all?{|s| s.is_a?(Array) && step_abbreviations[s.first.to_s] }
           raise InvalidArray, "can't define a job from #{steps_array.inspect}"
         end
         job = app.new_job
         steps_array.each do |step_array|
-          step_class = step_abbreviations[step_array.shift]
+          step_class = step_abbreviations[step_array.shift.to_s]
           job.steps << step_class.new(job, *step_array)
         end
         job
       end
 
       def deserialize(string, app)
-        from_a(Serializer.json_decode(string), app)
+        array = begin
+          Serializer.json_decode(string)
+        rescue Serializer::BadString
+          Serializer.marshal_decode(string) # legacy strings
+        end
+        from_a(array, app)
       end
 
       def step_abbreviations

data/lib/dragonfly/serializer.rb

@@ -7,6 +7,7 @@ module Dragonfly
 
     # Exceptions
     class BadString < RuntimeError; end
+    class MaliciousString < RuntimeError; end
 
     extend self # So we can do Serializer.b64_encode, etc.
 
@@ -16,6 +17,7 @@ module Dragonfly
 
     def b64_decode(string)
       padding_length = string.length % 4
+      string = string.tr('~', '/')
       Base64.decode64(string + '=' * padding_length)
     end
 
@@ -24,7 +26,9 @@ module Dragonfly
     end
 
     def marshal_decode(string)
-      Marshal.load(b64_decode(string))
+      marshal_string = b64_decode(string)
+      raise MaliciousString, "potentially malicious marshal string #{marshal_string.inspect}" if marshal_string[/@[a-z_]/i]
+      Marshal.load(marshal_string)
     rescue TypeError, ArgumentError => e
       raise BadString, "couldn't decode #{string} - got #{e}"
     end

data/lib/dragonfly/server.rb

@@ -52,7 +52,7 @@ module Dragonfly
     rescue JobNotAllowed => e
       log.warn(e.message)
       [403, {"Content-Type" => 'text/plain'}, ["Forbidden"]]
-    rescue Serializer::BadString, Job::InvalidArray => e
+    rescue Serializer::BadString, Serializer::MaliciousString, Job::InvalidArray => e
       log.warn(e.message)
       [404, {'Content-Type' => 'text/plain'}, ['Not found']]
     end

data/lib/dragonfly/url_mapper.rb

@@ -24,7 +24,7 @@ module Dragonfly
         params = Rack::Utils.parse_query(query)
         params_in_url.each_with_index do |var, i|
           value = md[i+1][1..-1] if md[i+1]
-          params[var] = value && Rack::Utils.unescape(value)
+          params[var] = value && Utils.uri_unescape(value)
         end
         params
       end
@@ -39,7 +39,7 @@ module Dragonfly
       url = url_format.dup
       segments.each do |seg|
         value = params[seg.param]
-        value ? url.sub!(/:[\w_]+/, Rack::Utils.escape(value.to_s)) : url.sub!(/.:[\w_]+/, '')
+        value ? url.sub!(/:[\w_]+/, Utils.uri_escape_segment(value.to_s)) : url.sub!(/.:[\w_]+/, '')
         params.delete(seg.param)
       end
       url << "?#{Rack::Utils.build_query(params)}" if params.any?

data/lib/dragonfly/utils.rb

@@ -1,4 +1,5 @@
 require 'tempfile'
+require 'uri'
 
 module Dragonfly
   module Utils
@@ -20,5 +21,13 @@ module Dragonfly
       end
     end
 
+    def uri_escape_segment(string)
+      URI.escape(string).sub('/', '%2F')
+    end
+
+    def uri_unescape(string)
+      URI.unescape(string)
+    end
+
   end
 end

data/spec/dragonfly/active_model_extensions/model_spec.rb

@@ -124,6 +124,18 @@ describe Item do
       end
     end
 
+    describe "after a record with an empty uid is saved" do
+      before(:each) do
+        @item.preview_image_uid = ''
+        @item.save!
+      end
+
+      it "should not try to destroy anything on destroy" do
+        @app.datastore.should_not_receive(:destroy)
+        @item.destroy
+      end
+    end
+
     describe "when the uid is set manually" do
       before(:each) do
         @item.preview_image_uid = 'some_known_uid'

data/spec/dragonfly/job_spec.rb

@@ -499,6 +499,11 @@ describe Dragonfly::Job do
       end
     end
 
+    it "works with symbols" do
+      job = Dragonfly::Job.from_a([[:f, 'some_uid']], @app)
+      job.steps.should match_steps([Dragonfly::Job::Fetch])
+    end
+
     [
       'f',
       ['f'],
@@ -539,6 +544,14 @@ describe Dragonfly::Job do
       process_step.name.should == :resize_and_crop
       process_step.arguments.should == [{'width' => 270, 'height' => 92, 'gravity' => 'n'}]
     end
+    it "works with json encoded strings" do
+      job = Dragonfly::Job.deserialize("W1siZiIsInNvbWVfdWlkIl1d", @app)
+      job.fetch_step.uid.should == 'some_uid'
+    end
+    it "works with marshal encoded strings (deprecated)" do
+      job = Dragonfly::Job.deserialize("BAhbBlsHSSIGZgY6BkVUSSINc29tZV91aWQGOwBU", @app)
+      job.fetch_step.uid.should == 'some_uid'
+    end
   end
 
   describe "to_app" do

data/spec/dragonfly/serializer_spec.rb

@@ -5,22 +5,32 @@ describe Dragonfly::Serializer do
 
   include Dragonfly::Serializer
 
-  [
-    'a',
-    'sdhflasd',
-    '/2010/03/01/hello.png',
-    '//..',
-    'whats/up.egg.frog',
-    '£ñçùí;'
-  ].each do |string|
-    it "should encode #{string.inspect} properly with no padding/line break" do
-      b64_encode(string).should_not =~ /\n|=/
+  describe "base 64 encoding/decoding" do
+    [
+      'a',
+      'sdhflasd',
+      '/2010/03/01/hello.png',
+      '//..',
+      'whats/up.egg.frog',
+      '£ñçùí;',
+      '~'
+    ].each do |string|
+      it "should encode #{string.inspect} properly with no padding/line break" do
+        b64_encode(string).should_not =~ /\n|=/
+      end
+      it "should correctly encode and decode #{string.inspect} to the same string" do
+        str = b64_decode(b64_encode(string))
+        str.force_encoding('UTF-8') if str.respond_to?(:force_encoding)
+        str.should == string
+      end
     end
-    it "should correctly encode and decode #{string.inspect} to the same string" do
-      str = b64_decode(b64_encode(string))
-      str.force_encoding('UTF-8') if str.respond_to?(:force_encoding)
-      str.should == string
+
+    describe "b64_decode" do
+      it "converts (deprecated) '~' characters to '/' characters" do
+        b64_decode('asdf~asdf').should == b64_decode('asdf/asdf')
+      end
     end
+
   end
 
   [
@@ -55,6 +65,19 @@ describe Dragonfly::Serializer do
         marshal_decode('ahasdkjfhasdkfjh')
       }.should raise_error(Dragonfly::Serializer::BadString)
     end
+    describe "potentially harmful strings" do
+      ['_', 'hello', 'h2', '__send__', 'F'].each do |variable_name|
+        it "should raise an error if the string passed in is potentially harmful (e.g. contains instance variable #{variable_name})" do
+          class C; end
+          c = C.new
+          c.instance_eval{ instance_variable_set("@#{variable_name}", 1) }
+          string = Dragonfly::Serializer.b64_encode(Marshal.dump(c))
+          lambda{
+            marshal_decode(string)
+          }.should raise_error(Dragonfly::Serializer::MaliciousString)
+        end
+      end
+    end
   end
 
   [

data/spec/dragonfly/server_spec.rb

@@ -121,6 +121,16 @@ describe Dragonfly::Server do
         response.headers['X-Cascade'].should be_nil
       end
 
+      it "should return a 404 when the url is malicious" do
+        class C; def initialize; @a = 1; end; end
+        url = "/media/#{Dragonfly::Serializer.marshal_encode(C.new)}"
+        response = request(@server, url)
+        response.status.should == 404
+        response.body.should == 'Not found'
+        response.content_type.should == 'text/plain'
+        response.headers['X-Cascade'].should be_nil
+      end
+
       it "should return a 403 Forbidden when someone uses fetch_file" do
         response = request(@server, "/media/#{@app.fetch_file('/some/file.txt').serialize}")
         response.status.should == 403

data/spec/dragonfly/url_mapper_spec.rb

@@ -20,13 +20,13 @@ describe Dragonfly::UrlMapper do
       url_mapper.params_in_url.should == ['job', 'basename', 'ext']
     end
   end
-  
+
   describe "url_regexp" do
     it "should return a regexp with non-greedy optional groups that include the preceding slash/dot/dash" do
       url_mapper = Dragonfly::UrlMapper.new('/media/:job/:basename-:size.:format')
       url_mapper.url_regexp.should == %r{^/media(/[^\/\-\.]+?)?(/[^\/\-\.]+?)?(\-[^\/\-\.]+?)?(\.[^\/\-\.]+?)?$}
     end
-    
+
     it "should allow setting custom patterns in the url" do
       url_mapper = Dragonfly::UrlMapper.new('/media/:job-:size.:format',
         :job => '\w',
@@ -35,7 +35,7 @@ describe Dragonfly::UrlMapper do
       )
       url_mapper.url_regexp.should == %r{^/media(/\w+?)?(\-\d+?)?(\.[^\.]+?)?$}
     end
-    
+
     it "should make optional match patterns (ending in ?) apply to the whole group including the preceding seperator" do
       url_mapper = Dragonfly::UrlMapper.new('/media/:job', :job => '\w')
       url_mapper.url_regexp.should == %r{^/media(/\w+?)?$}
@@ -44,28 +44,25 @@ describe Dragonfly::UrlMapper do
 
   describe "url_for" do
     before(:each) do
-      @url_mapper = Dragonfly::UrlMapper.new('/media/:job-:size',
-        :job => '\w',
-        :size => '\w'
-      )
+      @url_mapper = Dragonfly::UrlMapper.new('/media/:job-:size')
     end
-    
+
     it "should map correctly" do
       @url_mapper.url_for('job' => 'asdf', 'size' => '30x30').should == '/media/asdf-30x30'
     end
-    
+
     it "should add extra params as query parameters" do
       @url_mapper.url_for('job' => 'asdf', 'size' => '30x30', 'when' => 'now').should == '/media/asdf-30x30?when=now'
     end
-    
+
     it "should not worry if params aren't given" do
       @url_mapper.url_for('job' => 'asdf', 'when' => 'now', 'then' => 'soon').should match_url '/media/asdf?when=now&then=soon'
     end
-    
+
     it "should call to_s on non-string values" do
       @url_mapper.url_for('job' => 'asdf', 'size' => 500).should == '/media/asdf-500'
     end
-    
+
     it "should url-escape funny characters in the path" do
       @url_mapper.url_for('job' => 'a#c').should == '/media/a%23c'
     end
@@ -84,20 +81,20 @@ describe Dragonfly::UrlMapper do
     before(:each) do
       @url_mapper = Dragonfly::UrlMapper.new('/media/:job')
     end
-    
+
     it "should map correctly" do
       @url_mapper.params_for('/media/asdf').should == {'job' => 'asdf'}
     end
-    
+
     it "should include query parameters" do
       @url_mapper.params_for('/media/asdf', 'when=now').should == {'job' => 'asdf', 'when' => 'now'}
     end
-    
+
     it "should generally be ok with wierd characters" do
       @url_mapper = Dragonfly::UrlMapper.new('/media/:doobie')
       @url_mapper.params_for('/media/sd sdf jl£@$ sdf:_', 'job=goodun').should == {'job' => 'goodun', 'doobie' => 'sd sdf jl£@$ sdf:_'}
     end
-    
+
     it "should correctly url-unescape funny characters" do
       @url_mapper.params_for('/media/a%23c').should == {'job' => 'a#c'}
     end
@@ -106,7 +103,6 @@ describe Dragonfly::UrlMapper do
   describe "matching urls with standard format /media/:job/:basename.:format" do
     before(:each) do
       @url_mapper = Dragonfly::UrlMapper.new('/media/:job/:basename.:format',
-        :job => '\w',
         :basename => '[^\/]',
         :format => '[^\.]'
       )
@@ -126,22 +122,23 @@ describe Dragonfly::UrlMapper do
       '/media/asdf.egg' =>       {'job' => 'asdf', 'basename' => nil,     'format' => 'egg'},
       '/media/asdf/stuff/egg' => nil,
       '/media/asdf/stuff.dog.egg' => {'job' => 'asdf', 'basename' => 'stuff.dog', 'format' => 'egg'},
-      '/media/asdf/s%3D2+-.d.e' => {'job' => 'asdf', 'basename' => 's=2 -.d', 'format' => 'e'},
-      '/media/asdf-40x40/stuff.egg' => nil
+      '/media/asdf/s=2+-.d.e' => {'job' => 'asdf', 'basename' => 's=2+-.d', 'format' => 'e'},
+      '/media/asdf-40x40/stuff.egg' => nil,
+      '/media/a%23c' => {'job' => 'a#c', 'basename' => nil, 'format' => nil}
     }.each do |path, params|
-      
+
       it "should turn the url #{path} into params #{params.inspect}" do
         @url_mapper.params_for(path).should == params
-      end    
-      
+      end
+
       if params
         it "should turn the params #{params.inspect} into url #{path}" do
           @url_mapper.url_for(params).should == path
         end
       end
-      
+
     end
 
   end
-  
+
 end

data/spec/functional/urls_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe "urls" do
+
+  def request(app, path)
+    Rack::MockRequest.new(app).get(path)
+  end
+
+  def job_should_match(array)
+    Dragonfly::Response.should_receive(:new).with do |job, env|
+      job.to_a.should == array
+    end.and_return(mock('response', :to_response => [200, {'Content-Type' => 'text/plain'}, ["OK"]]))
+  end
+
+  let (:app) { test_app }
+
+  it "works with old marshalled urls (including with tildes in them)" do
+    url = "/BAhbBlsHOgZmSSIIPD4~BjoGRVQ"
+    job_should_match [["f", "<>?"]]
+    response = request(app, url)
+  end
+
+  it "blows up if it detects bad objects" do
+    url = "/BAhvOgZDBjoLQHRoaW5nSSIId2VlBjoGRVQ"
+    Dragonfly::Response.should_not_receive(:new)
+    response = request(app, url)
+    response.status.should == 404
+  end
+
+  it "works with the '%2B' character" do
+    url = "/W1siZiIsIjIwMTIvMTEvMDMvMTdfMzhfMDhfNTc4X19NR181ODk5Xy5qcGciXSxbInAiLCJ0aHVtYiIsIjQ1MHg0NTA%2BIl1d/_MG_5899+.jpg"
+    job_should_match [["f", "2012/11/03/17_38_08_578__MG_5899_.jpg"], ["p", "thumb", "450x450>"]]
+    response = request(app, url)
+  end
+
+  it "works when '%2B' has been converted to + (e.g. with nginx)" do
+    url = "/W1siZiIsIjIwMTIvMTEvMDMvMTdfMzhfMDhfNTc4X19NR181ODk5Xy5qcGciXSxbInAiLCJ0aHVtYiIsIjQ1MHg0NTA+Il1d/_MG_5899+.jpg"
+    job_should_match [["f", "2012/11/03/17_38_08_578__MG_5899_.jpg"], ["p", "thumb", "450x450>"]]
+    response = request(app, url)
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dragonfly
 version: !ruby/object:Gem::Version
-  version: 0.9.13
+  version: 0.9.14
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-30 00:00:00.000000000 Z
+date: 2013-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -502,6 +502,7 @@ files:
 - spec/functional/remote_on_the_fly_spec.rb
 - spec/functional/shell_commands_spec.rb
 - spec/functional/to_response_spec.rb
+- spec/functional/urls_spec.rb
 - spec/spec_helper.rb
 - spec/support/argument_matchers.rb
 - spec/support/image_matchers.rb
@@ -529,7 +530,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2307100787498819433
+      hash: -1610166145286138499
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: