dragonfly 0.8.4 → 0.8.5

data/History.md

@@ -1,4 +1,11 @@
-0.8.4 (2010-04-27)
+0.8.5 (2011-05-11)
+==================
+Fixes
+-----
+- Allow filenames that have '..' in them (but not '../') in the filedatastore
+- Better security for server
+
+0.8.4 (2011-04-27)
 ==================
 Fixes
 -----

data/README.md

@@ -10,7 +10,7 @@ For the lazy Rails user...
 **Gemfile**:
 
     gem 'rack-cache', :require => 'rack/cache'
-    gem 'dragonfly', '~>0.8.1'
+    gem 'dragonfly', '~>0.8.5'
 
 **Initializer** (e.g. config/initializers/dragonfly.rb):
 

data/VERSION

@@ -1 +1 @@
-0.8.4
+0.8.5

data/dragonfly.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{dragonfly}
-  s.version = "0.8.4"
+  s.version = "0.8.5"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Mark Evans"]
-  s.date = %q{2011-04-27}
+  s.date = %q{2011-05-11}
   s.email = %q{mark@new-bamboo.co.uk}
   s.extra_rdoc_files = [
     "LICENSE",
@@ -178,54 +178,6 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.5.2}
   s.summary = %q{Dragonfly is an on-the-fly Rack-based image handling framework. It is suitable for use with Rails, Sinatra and other web frameworks. Although it's mainly used for images, it can handle any content type.}
-  s.test_files = [
-    "spec/argument_matchers.rb",
-    "spec/dragonfly/active_model_extensions/active_model_setup.rb",
-    "spec/dragonfly/active_model_extensions/active_record_setup.rb",
-    "spec/dragonfly/active_model_extensions/model_spec.rb",
-    "spec/dragonfly/active_model_extensions/spec_helper.rb",
-    "spec/dragonfly/analyser_spec.rb",
-    "spec/dragonfly/analysis/file_command_analyser_spec.rb",
-    "spec/dragonfly/analysis/image_magick_analyser_spec.rb",
-    "spec/dragonfly/analysis/r_magick_analyser_spec.rb",
-    "spec/dragonfly/analysis/shared_analyser_spec.rb",
-    "spec/dragonfly/app_spec.rb",
-    "spec/dragonfly/config/r_magick_spec.rb",
-    "spec/dragonfly/configurable_spec.rb",
-    "spec/dragonfly/core_ext/array_spec.rb",
-    "spec/dragonfly/core_ext/hash_spec.rb",
-    "spec/dragonfly/core_ext/string_spec.rb",
-    "spec/dragonfly/core_ext/symbol_spec.rb",
-    "spec/dragonfly/data_storage/data_store_spec.rb",
-    "spec/dragonfly/data_storage/file_data_store_spec.rb",
-    "spec/dragonfly/data_storage/mongo_data_store_spec.rb",
-    "spec/dragonfly/data_storage/s3_data_store_spec.rb",
-    "spec/dragonfly/encoding/image_magick_encoder_spec.rb",
-    "spec/dragonfly/encoding/r_magick_encoder_spec.rb",
-    "spec/dragonfly/function_manager_spec.rb",
-    "spec/dragonfly/generation/hash_with_css_style_keys_spec.rb",
-    "spec/dragonfly/generation/image_magick_generator_spec.rb",
-    "spec/dragonfly/generation/r_magick_generator_spec.rb",
-    "spec/dragonfly/generation/shared_generator_spec.rb",
-    "spec/dragonfly/image_magick_utils_spec.rb",
-    "spec/dragonfly/job_builder_spec.rb",
-    "spec/dragonfly/job_definitions_spec.rb",
-    "spec/dragonfly/job_endpoint_spec.rb",
-    "spec/dragonfly/job_spec.rb",
-    "spec/dragonfly/loggable_spec.rb",
-    "spec/dragonfly/middleware_spec.rb",
-    "spec/dragonfly/processing/image_magick_processor_spec.rb",
-    "spec/dragonfly/processing/r_magick_processor_spec.rb",
-    "spec/dragonfly/processing/shared_processing_spec.rb",
-    "spec/dragonfly/routed_endpoint_spec.rb",
-    "spec/dragonfly/serializer_spec.rb",
-    "spec/dragonfly/simple_cache_spec.rb",
-    "spec/dragonfly/simple_endpoint_spec.rb",
-    "spec/dragonfly/temp_object_spec.rb",
-    "spec/image_matchers.rb",
-    "spec/simple_matchers.rb",
-    "spec/spec_helper.rb"
-  ]
 
   if s.respond_to? :specification_version then
     s.specification_version = 3

data/extra_docs/Rails2.md

@@ -34,7 +34,7 @@ Gems
 ----
 environment.rb
 
-    config.gem 'dragonfly', '~>0.8.1'
+    config.gem 'dragonfly', '~>0.8.5'
     config.gem 'rack-cache', :lib => 'rack/cache'
 
 Capistrano

data/extra_docs/Rails3.md

@@ -33,7 +33,7 @@ application.rb:
 Gemfile
 -------
 
-    gem 'dragonfly', '~>0.8.1'
+    gem 'dragonfly', '~>0.8.5'
     gem 'rack-cache', :require => 'rack/cache'
 
 Capistrano

data/lib/dragonfly/data_storage/file_data_store.rb

@@ -114,7 +114,7 @@ module Dragonfly
       end
 
       def validate_uid!(uid)
-        raise BadUID, "tried to fetch uid #{uid.inspect} - perhaps due to a malicious user" if uid['..']
+        raise BadUID, "tried to fetch uid #{uid.inspect} - perhaps due to a malicious user" if uid['../']
       end
 
     end

data/lib/dragonfly/simple_endpoint.rb

@@ -1,6 +1,9 @@
 module Dragonfly
   class SimpleEndpoint
 
+    # Exceptions
+    class JobNotAllowed < RuntimeError; end
+
     include Loggable
 
     # Instance methods
@@ -18,6 +21,7 @@ module Dragonfly
         dragonfly_response
       else
         job = Job.from_path(request.path_info, app)
+        validate_job!(job)
         job.validate_sha!(request['s']) if app.protect_from_dos_attacks
         Response.new(job, env).to_response
       end
@@ -28,6 +32,9 @@ module Dragonfly
       [400, {"Content-Type" => 'text/plain'}, ["You need to give a SHA parameter"]]
     rescue Job::IncorrectSHA => e
       [400, {"Content-Type" => 'text/plain'}, ["The SHA parameter you gave (#{e}) is incorrect"]]
+    rescue JobNotAllowed => e
+      log.warn(e.message)
+      [403, {"Content-Type" => 'text/plain'}, ["Forbidden"]]
     end
 
     def required_params_for(job)
@@ -58,6 +65,12 @@ module Dragonfly
         [body]
       ]
     end
+    
+    def validate_job!(job)
+      if job.fetch_file_step
+        raise JobNotAllowed, "Dragonfly Server doesn't allow requesting job with steps #{job.steps.inspect}"
+      end
+    end
 
   end
 end

data/spec/dragonfly/simple_endpoint_spec.rb

@@ -56,6 +56,14 @@ describe Dragonfly::SimpleEndpoint do
     response.content_type.should == 'text/plain'
   end
 
+  it "should return a 403 forbidden when fetch_file is requested" do
+    url = @app.fetch_file('/some/file.txt').url
+    response = request(@endpoint, url)
+    response.status.should == 403
+    response.body.should == 'Forbidden'
+    response.content_type.should == 'text/plain'
+  end
+
   it "should still work when mapped to a prefix" do
     endpoint = @endpoint
     rack_app = Rack::Builder.new do

metadata

@@ -2,7 +2,7 @@
 name: dragonfly
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.8.4
+  version: 0.8.5
 platform: ruby
 authors: 
 - Mark Evans
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-04-27 00:00:00 +01:00
+date: 2011-05-11 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -417,50 +417,5 @@ rubygems_version: 1.5.2
 signing_key: 
 specification_version: 3
 summary: Dragonfly is an on-the-fly Rack-based image handling framework. It is suitable for use with Rails, Sinatra and other web frameworks. Although it's mainly used for images, it can handle any content type.
-test_files: 
-- spec/argument_matchers.rb
-- spec/dragonfly/active_model_extensions/active_model_setup.rb
-- spec/dragonfly/active_model_extensions/active_record_setup.rb
-- spec/dragonfly/active_model_extensions/model_spec.rb
-- spec/dragonfly/active_model_extensions/spec_helper.rb
-- spec/dragonfly/analyser_spec.rb
-- spec/dragonfly/analysis/file_command_analyser_spec.rb
-- spec/dragonfly/analysis/image_magick_analyser_spec.rb
-- spec/dragonfly/analysis/r_magick_analyser_spec.rb
-- spec/dragonfly/analysis/shared_analyser_spec.rb
-- spec/dragonfly/app_spec.rb
-- spec/dragonfly/config/r_magick_spec.rb
-- spec/dragonfly/configurable_spec.rb
-- spec/dragonfly/core_ext/array_spec.rb
-- spec/dragonfly/core_ext/hash_spec.rb
-- spec/dragonfly/core_ext/string_spec.rb
-- spec/dragonfly/core_ext/symbol_spec.rb
-- spec/dragonfly/data_storage/data_store_spec.rb
-- spec/dragonfly/data_storage/file_data_store_spec.rb
-- spec/dragonfly/data_storage/mongo_data_store_spec.rb
-- spec/dragonfly/data_storage/s3_data_store_spec.rb
-- spec/dragonfly/encoding/image_magick_encoder_spec.rb
-- spec/dragonfly/encoding/r_magick_encoder_spec.rb
-- spec/dragonfly/function_manager_spec.rb
-- spec/dragonfly/generation/hash_with_css_style_keys_spec.rb
-- spec/dragonfly/generation/image_magick_generator_spec.rb
-- spec/dragonfly/generation/r_magick_generator_spec.rb
-- spec/dragonfly/generation/shared_generator_spec.rb
-- spec/dragonfly/image_magick_utils_spec.rb
-- spec/dragonfly/job_builder_spec.rb
-- spec/dragonfly/job_definitions_spec.rb
-- spec/dragonfly/job_endpoint_spec.rb
-- spec/dragonfly/job_spec.rb
-- spec/dragonfly/loggable_spec.rb
-- spec/dragonfly/middleware_spec.rb
-- spec/dragonfly/processing/image_magick_processor_spec.rb
-- spec/dragonfly/processing/r_magick_processor_spec.rb
-- spec/dragonfly/processing/shared_processing_spec.rb
-- spec/dragonfly/routed_endpoint_spec.rb
-- spec/dragonfly/serializer_spec.rb
-- spec/dragonfly/simple_cache_spec.rb
-- spec/dragonfly/simple_endpoint_spec.rb
-- spec/dragonfly/temp_object_spec.rb
-- spec/image_matchers.rb
-- spec/simple_matchers.rb
-- spec/spec_helper.rb
+test_files: []
+