dragonfly 0.9.14 → 0.9.15

data/.gitignore

@@ -0,0 +1,16 @@
+*.sw?
+.DS_Store
+coverage
+**.sqlite3
+pkg
+.yardoc
+doc
+fixtures/*/tmp_app
+.ginger
+.bundle
+.rvmrc
+spec/spec.log
+Gemfile.lock
+.s3_spec.yml
+***.rbc
+spec/support/tmp.rb

data/Gemfile

@@ -1,32 +1,2 @@
-source :rubygems
-
-gem "rack"
-gem "multi_json", "~> 1.0"
-
-# These gems are needed for development and testing
-group :development, :test, :cucumber do
-  gem 'capybara'
-  gem 'cucumber', '~>1.2.1'
-  gem 'cucumber-rails', "~> 1.3.0"
-  gem 'database_cleaner'
-  gem 'jeweler', '>= 1.5.2'
-  gem 'fog'
-  gem 'github-markup'
-  gem 'mongo'
-  gem 'couchrest', '~> 1.0'
-  gem 'rack-cache'
-  gem 'rails', '~>3.2.0', :require => nil
-  gem 'rspec', '~> 2.5'
-  gem 'webmock'
-  gem 'yard'
-  if RUBY_PLATFORM == "java"
-    gem "jdbc-sqlite3"
-    gem "activerecord-jdbcsqlite3-adapter"
-    gem "jruby-openssl"
-  else
-    gem 'redcarpet', '~>1.0'
-    gem 'bluecloth'
-    gem 'bson_ext'
-    gem 'sqlite3'
-  end
-end
+source 'https://rubygems.org'
+gemspec

data/History.md

@@ -1,3 +1,14 @@
+0.9.15 (2013-05-04)
+===================
+Features
+--------
+- Allow turning off support of legacy urls
+
+Fixes
+-----
+- More conservative URL escaping - back to Rack::Utils.escape_path
+- Don't check for malicious strings when deserializing from datastores (they're to be trusted)
+
 0.9.14 (2013-02-13)
 ===================
 Features

data/README.md

@@ -7,13 +7,15 @@ Ideal for using with Ruby on Rails (2.3 and 3), Sinatra and all that gubbins.
 
 However, Dragonfly is NOT JUST FOR RAILS, and NOT JUST FOR IMAGES!!
 
+**IMPORTANT: if you're running a version between 0.7.0 and 0.9.12, please update to at least 0.9.14 for a security update [details here](https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo)**
+
 For the lazy Rails user...
 --------------------------
 **Gemfile**:
 
 ```ruby
 gem 'rack-cache', :require => 'rack/cache'
-gem 'dragonfly', '~>0.9.14'
+gem 'dragonfly', '~>0.9.15'
 ```
 
 **Initializer** (e.g. config/initializers/dragonfly.rb):
@@ -55,25 +57,25 @@ NB: REMEMBER THE MULTIPART BIT!!!
 You can avoid having to re-upload when validations fail with
 
 ```erb
-  <%= f.hidden_field :retained_cover_image %>
+<%= f.hidden_field :retained_cover_image %>
 ```
 
 remove the attachment with
 
 ```erb
-  <%= f.check_box :remove_cover_image %>
+<%= f.check_box :remove_cover_image %>
 ```
 
 assign from some other url with
 
 ```erb
-  <%= f.text_field :cover_image_url %>
+<%= f.text_field :cover_image_url %>
 ```
 
 and display a thumbnail (on the upload form) with
 
 ```erb
-  <%= image_tag @album.cover_image.thumb('100x100').url if @album.cover_image_uid %>
+<%= image_tag @album.cover_image.thumb('100x100').url if @album.cover_image_uid %>
 ```
 
 **View** (to display):

data/Rakefile

@@ -9,19 +9,6 @@ rescue Bundler::BundlerError => e
 end
 require 'rake'
 
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
-  gem.name = "dragonfly"
-  gem.email = "mark@new-bamboo.co.uk"
-  gem.summary = %Q{Ideal gem for handling attachments in Rails, Sinatra and Rack applications.}
-  gem.description = %Q{Dragonfly is a framework that enables on-the-fly processing for any content type.
-  It is especially suited to image handling. Its uses range from image thumbnails to standard attachments to on-demand text generation.}
-  gem.homepage = "http://github.com/markevans/dragonfly"
-  gem.license = "MIT"
-  gem.authors = ["Mark Evans"]
-end
-Jeweler::RubygemsDotOrgTasks.new
-
 require 'rspec/core'
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec) do |spec|

data/dragonfly.gemspec

@@ -1,270 +1,51 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'dragonfly/version'
 
-Gem::Specification.new do |s|
-  s.name = "dragonfly"
-  s.version = "0.9.14"
-
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Mark Evans"]
-  s.date = "2013-02-13"
-  s.description = "Dragonfly is a framework that enables on-the-fly processing for any content type.\n  It is especially suited to image handling. Its uses range from image thumbnails to standard attachments to on-demand text generation."
-  s.email = "mark@new-bamboo.co.uk"
-  s.extra_rdoc_files = [
+Gem::Specification.new do |spec|
+  spec.name = "dragonfly"
+  spec.version = Dragonfly::VERSION
+  spec.authors = ["Mark Evans"]
+  spec.email = "mark@new-bamboo.co.uk"
+  spec.description = "Dragonfly is a framework that enables on-the-fly processing for any content type.\n  It is especially suited to image handling. Its uses range from image thumbnails to standard attachments to on-demand text generation."
+  spec.summary = "Ideal gem for handling attachments in Rails, Sinatra and Rack applications."
+  spec.homepage = "http://github.com/markevans/dragonfly"
+  spec.license = "MIT"
+  spec.files = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.extra_rdoc_files = [
     "LICENSE",
     "README.md"
   ]
-  s.files = [
-    ".rspec",
-    ".yardopts",
-    "Gemfile",
-    "History.md",
-    "LICENSE",
-    "README.md",
-    "Rakefile",
-    "VERSION",
-    "config.ru",
-    "docs.watchr",
-    "dragonfly.gemspec",
-    "extra_docs/Analysers.md",
-    "extra_docs/Caching.md",
-    "extra_docs/Configuration.md",
-    "extra_docs/Couch.md",
-    "extra_docs/DataStorage.md",
-    "extra_docs/Encoding.md",
-    "extra_docs/ExampleUseCases.md",
-    "extra_docs/GeneralUsage.md",
-    "extra_docs/Generators.md",
-    "extra_docs/Heroku.md",
-    "extra_docs/ImageMagick.md",
-    "extra_docs/Index.md",
-    "extra_docs/MimeTypes.md",
-    "extra_docs/Models.md",
-    "extra_docs/Mongo.md",
-    "extra_docs/Processing.md",
-    "extra_docs/Rack.md",
-    "extra_docs/Rails2.md",
-    "extra_docs/Rails3.md",
-    "extra_docs/ServingRemotely.md",
-    "extra_docs/Sinatra.md",
-    "extra_docs/URLs.md",
-    "features/images.feature",
-    "features/no_processing.feature",
-    "features/rails.feature",
-    "features/steps/common_steps.rb",
-    "features/steps/dragonfly_steps.rb",
-    "features/steps/rails_steps.rb",
-    "features/support/env.rb",
-    "features/support/setup.rb",
-    "fixtures/rails/files/app/models/album.rb",
-    "fixtures/rails/files/app/views/albums/new.html.erb",
-    "fixtures/rails/files/app/views/albums/show.html.erb",
-    "fixtures/rails/files/config/initializers/dragonfly.rb",
-    "fixtures/rails/files/features/manage_album_images.feature",
-    "fixtures/rails/files/features/step_definitions/helper_steps.rb",
-    "fixtures/rails/files/features/step_definitions/image_steps.rb",
-    "fixtures/rails/files/features/step_definitions/web_steps.rb",
-    "fixtures/rails/files/features/support/paths.rb",
-    "fixtures/rails/files/features/text_images.feature",
-    "fixtures/rails/template.rb",
-    "irbrc.rb",
-    "lib/dragonfly.rb",
-    "lib/dragonfly/active_model_extensions.rb",
-    "lib/dragonfly/active_model_extensions/attachment.rb",
-    "lib/dragonfly/active_model_extensions/attachment_class_methods.rb",
-    "lib/dragonfly/active_model_extensions/class_methods.rb",
-    "lib/dragonfly/active_model_extensions/instance_methods.rb",
-    "lib/dragonfly/active_model_extensions/validations.rb",
-    "lib/dragonfly/analyser.rb",
-    "lib/dragonfly/analysis/file_command_analyser.rb",
-    "lib/dragonfly/analysis/image_magick_analyser.rb",
-    "lib/dragonfly/app.rb",
-    "lib/dragonfly/config/heroku.rb",
-    "lib/dragonfly/config/image_magick.rb",
-    "lib/dragonfly/config/rails.rb",
-    "lib/dragonfly/configurable.rb",
-    "lib/dragonfly/cookie_monster.rb",
-    "lib/dragonfly/core_ext/array.rb",
-    "lib/dragonfly/core_ext/hash.rb",
-    "lib/dragonfly/core_ext/object.rb",
-    "lib/dragonfly/data_storage.rb",
-    "lib/dragonfly/data_storage/couch_data_store.rb",
-    "lib/dragonfly/data_storage/file_data_store.rb",
-    "lib/dragonfly/data_storage/mongo_data_store.rb",
-    "lib/dragonfly/data_storage/s3data_store.rb",
-    "lib/dragonfly/encoder.rb",
-    "lib/dragonfly/encoding/image_magick_encoder.rb",
-    "lib/dragonfly/function_manager.rb",
-    "lib/dragonfly/generation/image_magick_generator.rb",
-    "lib/dragonfly/generator.rb",
-    "lib/dragonfly/has_filename.rb",
-    "lib/dragonfly/hash_with_css_style_keys.rb",
-    "lib/dragonfly/image_magick/analyser.rb",
-    "lib/dragonfly/image_magick/config.rb",
-    "lib/dragonfly/image_magick/encoder.rb",
-    "lib/dragonfly/image_magick/generator.rb",
-    "lib/dragonfly/image_magick/processor.rb",
-    "lib/dragonfly/image_magick/utils.rb",
-    "lib/dragonfly/image_magick_utils.rb",
-    "lib/dragonfly/job.rb",
-    "lib/dragonfly/job_builder.rb",
-    "lib/dragonfly/job_definitions.rb",
-    "lib/dragonfly/job_endpoint.rb",
-    "lib/dragonfly/loggable.rb",
-    "lib/dragonfly/middleware.rb",
-    "lib/dragonfly/processing/image_magick_processor.rb",
-    "lib/dragonfly/processor.rb",
-    "lib/dragonfly/rails/images.rb",
-    "lib/dragonfly/railtie.rb",
-    "lib/dragonfly/response.rb",
-    "lib/dragonfly/routed_endpoint.rb",
-    "lib/dragonfly/serializer.rb",
-    "lib/dragonfly/server.rb",
-    "lib/dragonfly/shell.rb",
-    "lib/dragonfly/simple_cache.rb",
-    "lib/dragonfly/temp_object.rb",
-    "lib/dragonfly/url_attributes.rb",
-    "lib/dragonfly/url_mapper.rb",
-    "lib/dragonfly/utils.rb",
-    "samples/DSC02119.JPG",
-    "samples/a.jp2",
-    "samples/beach.jpg",
-    "samples/beach.png",
-    "samples/egg.png",
-    "samples/round.gif",
-    "samples/sample.docx",
-    "samples/taj.jpg",
-    "samples/white pixel.png",
-    "spec/dragonfly/active_model_extensions/model_spec.rb",
-    "spec/dragonfly/active_model_extensions/spec_helper.rb",
-    "spec/dragonfly/analyser_spec.rb",
-    "spec/dragonfly/analysis/file_command_analyser_spec.rb",
-    "spec/dragonfly/app_spec.rb",
-    "spec/dragonfly/configurable_spec.rb",
-    "spec/dragonfly/cookie_monster_spec.rb",
-    "spec/dragonfly/core_ext/array_spec.rb",
-    "spec/dragonfly/core_ext/hash_spec.rb",
-    "spec/dragonfly/data_storage/couch_data_store_spec.rb",
-    "spec/dragonfly/data_storage/file_data_store_spec.rb",
-    "spec/dragonfly/data_storage/mongo_data_store_spec.rb",
-    "spec/dragonfly/data_storage/s3_data_store_spec.rb",
-    "spec/dragonfly/data_storage/shared_data_store_examples.rb",
-    "spec/dragonfly/function_manager_spec.rb",
-    "spec/dragonfly/has_filename_spec.rb",
-    "spec/dragonfly/hash_with_css_style_keys_spec.rb",
-    "spec/dragonfly/image_magick/analyser_spec.rb",
-    "spec/dragonfly/image_magick/encoder_spec.rb",
-    "spec/dragonfly/image_magick/generator_spec.rb",
-    "spec/dragonfly/image_magick/processor_spec.rb",
-    "spec/dragonfly/job_builder_spec.rb",
-    "spec/dragonfly/job_definitions_spec.rb",
-    "spec/dragonfly/job_endpoint_spec.rb",
-    "spec/dragonfly/job_spec.rb",
-    "spec/dragonfly/loggable_spec.rb",
-    "spec/dragonfly/middleware_spec.rb",
-    "spec/dragonfly/routed_endpoint_spec.rb",
-    "spec/dragonfly/serializer_spec.rb",
-    "spec/dragonfly/server_spec.rb",
-    "spec/dragonfly/shell_spec.rb",
-    "spec/dragonfly/simple_cache_spec.rb",
-    "spec/dragonfly/temp_object_spec.rb",
-    "spec/dragonfly/url_attributes.rb",
-    "spec/dragonfly/url_mapper_spec.rb",
-    "spec/functional/deprecations_spec.rb",
-    "spec/functional/image_magick_app_spec.rb",
-    "spec/functional/model_urls_spec.rb",
-    "spec/functional/remote_on_the_fly_spec.rb",
-    "spec/functional/shell_commands_spec.rb",
-    "spec/functional/to_response_spec.rb",
-    "spec/functional/urls_spec.rb",
-    "spec/spec_helper.rb",
-    "spec/support/argument_matchers.rb",
-    "spec/support/image_matchers.rb",
-    "spec/support/simple_matchers.rb",
-    "spec/test_imagemagick.ru",
-    "tmp/.gitignore",
-    "yard/handlers/configurable_attr_handler.rb",
-    "yard/setup.rb",
-    "yard/templates/default/fulldoc/html/css/common.css",
-    "yard/templates/default/layout/html/layout.erb",
-    "yard/templates/default/module/html/configuration_summary.erb",
-    "yard/templates/default/module/setup.rb"
-  ]
-  s.homepage = "http://github.com/markevans/dragonfly"
-  s.licenses = ["MIT"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = "1.8.24"
-  s.summary = "Ideal gem for handling attachments in Rails, Sinatra and Rack applications."
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 3
+  spec.add_runtime_dependency("rack", [">= 0"])
+  spec.add_runtime_dependency("multi_json", ["~> 1.0"])
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rack>, [">= 0"])
-      s.add_runtime_dependency(%q<multi_json>, ["~> 1.0"])
-      s.add_development_dependency(%q<capybara>, [">= 0"])
-      s.add_development_dependency(%q<cucumber>, ["~> 1.2.1"])
-      s.add_development_dependency(%q<cucumber-rails>, ["~> 1.3.0"])
-      s.add_development_dependency(%q<database_cleaner>, [">= 0"])
-      s.add_development_dependency(%q<jeweler>, [">= 1.5.2"])
-      s.add_development_dependency(%q<fog>, [">= 0"])
-      s.add_development_dependency(%q<github-markup>, [">= 0"])
-      s.add_development_dependency(%q<mongo>, [">= 0"])
-      s.add_development_dependency(%q<couchrest>, ["~> 1.0"])
-      s.add_development_dependency(%q<rack-cache>, [">= 0"])
-      s.add_development_dependency(%q<rails>, ["~> 3.2.0"])
-      s.add_development_dependency(%q<rspec>, ["~> 2.5"])
-      s.add_development_dependency(%q<webmock>, [">= 0"])
-      s.add_development_dependency(%q<yard>, [">= 0"])
-      s.add_development_dependency(%q<redcarpet>, ["~> 1.0"])
-      s.add_development_dependency(%q<bluecloth>, [">= 0"])
-      s.add_development_dependency(%q<bson_ext>, [">= 0"])
-      s.add_development_dependency(%q<sqlite3>, [">= 0"])
-    else
-      s.add_dependency(%q<rack>, [">= 0"])
-      s.add_dependency(%q<multi_json>, ["~> 1.0"])
-      s.add_dependency(%q<capybara>, [">= 0"])
-      s.add_dependency(%q<cucumber>, ["~> 1.2.1"])
-      s.add_dependency(%q<cucumber-rails>, ["~> 1.3.0"])
-      s.add_dependency(%q<database_cleaner>, [">= 0"])
-      s.add_dependency(%q<jeweler>, [">= 1.5.2"])
-      s.add_dependency(%q<fog>, [">= 0"])
-      s.add_dependency(%q<github-markup>, [">= 0"])
-      s.add_dependency(%q<mongo>, [">= 0"])
-      s.add_dependency(%q<couchrest>, ["~> 1.0"])
-      s.add_dependency(%q<rack-cache>, [">= 0"])
-      s.add_dependency(%q<rails>, ["~> 3.2.0"])
-      s.add_dependency(%q<rspec>, ["~> 2.5"])
-      s.add_dependency(%q<webmock>, [">= 0"])
-      s.add_dependency(%q<yard>, [">= 0"])
-      s.add_dependency(%q<redcarpet>, ["~> 1.0"])
-      s.add_dependency(%q<bluecloth>, [">= 0"])
-      s.add_dependency(%q<bson_ext>, [">= 0"])
-      s.add_dependency(%q<sqlite3>, [">= 0"])
-    end
+  spec.add_development_dependency("capybara", [">= 0"])
+  spec.add_development_dependency("cucumber", ["~> 1.2.1"])
+  spec.add_development_dependency("cucumber-rails", ["~> 1.3.0"])
+  spec.add_development_dependency("database_cleaner", [">= 0"])
+  spec.add_development_dependency("fog", [">= 0"])
+  spec.add_development_dependency("github-markup", [">= 0"])
+  spec.add_development_dependency("mongo", [">= 0"])
+  spec.add_development_dependency("couchrest", ["~> 1.0"])
+  spec.add_development_dependency("rack-cache", [">= 0"])
+  spec.add_development_dependency("rails", ["~> 3.2.0"])
+  spec.add_development_dependency("rspec", ["~> 2.5"])
+  spec.add_development_dependency("webmock", [">= 0"])
+  spec.add_development_dependency("yard", [">= 0"])
+  if RUBY_PLATFORM == "java"
+    spec.add_development_dependency("jdbc-sqlite3", [">= 0"])
+    spec.add_development_dependency("activerecord-jdbcsqlite3-adapter", [">= 0"])
+    spec.add_development_dependency("jruby-openssl", [">= 0"])
   else
-    s.add_dependency(%q<rack>, [">= 0"])
-    s.add_dependency(%q<multi_json>, ["~> 1.0"])
-    s.add_dependency(%q<capybara>, [">= 0"])
-    s.add_dependency(%q<cucumber>, ["~> 1.2.1"])
-    s.add_dependency(%q<cucumber-rails>, ["~> 1.3.0"])
-    s.add_dependency(%q<database_cleaner>, [">= 0"])
-    s.add_dependency(%q<jeweler>, [">= 1.5.2"])
-    s.add_dependency(%q<fog>, [">= 0"])
-    s.add_dependency(%q<github-markup>, [">= 0"])
-    s.add_dependency(%q<mongo>, [">= 0"])
-    s.add_dependency(%q<couchrest>, ["~> 1.0"])
-    s.add_dependency(%q<rack-cache>, [">= 0"])
-    s.add_dependency(%q<rails>, ["~> 3.2.0"])
-    s.add_dependency(%q<rspec>, ["~> 2.5"])
-    s.add_dependency(%q<webmock>, [">= 0"])
-    s.add_dependency(%q<yard>, [">= 0"])
-    s.add_dependency(%q<redcarpet>, ["~> 1.0"])
-    s.add_dependency(%q<bluecloth>, [">= 0"])
-    s.add_dependency(%q<bson_ext>, [">= 0"])
-    s.add_dependency(%q<sqlite3>, [">= 0"])
+    spec.add_development_dependency("redcarpet", ["~> 1.0"])
+    spec.add_development_dependency("bluecloth", [">= 0"])
+    spec.add_development_dependency("bson_ext", [">= 0"])
+    spec.add_development_dependency("sqlite3", [">= 0"])
   end
-end
 
+end

data/extra_docs/Caching.md

@@ -6,7 +6,7 @@ the image is processed, and there might be a short delay and getting the respons
 
 However, dragonfly apps send `Cache-Control` and `ETag` headers in the response, so we can easily put a caching
 proxy like {http://varnish.projects.linpro.no Varnish}, {http://www.squid-cache.org Squid},
-{http://tomayko.com/src/rack-cache/ Rack::Cache}, etc. in front of the app, so that subsequent requests are served
+{http://rtomayko.github.com/rack-cache/ Rack::Cache}, etc. in front of the app, so that subsequent requests are served
 super-quickly straight out of the cache.
 
 The file 'dragonfly/rails/images' puts Rack::Cache in front of Dragonfly by default, but for better performance

data/extra_docs/Heroku.md

@@ -1,12 +1,7 @@
 Heroku
 ======
 
-The default configuration won't work out of the box for Heroku, because
-
-- Heroku doesn't allow saving files to the filesystem (although it does use tempfiles)
-- If on Heroku {http://devcenter.heroku.com/articles/stack Aspen/Bamboo stacks}, we won't need {http://tomayko.com/src/rack-cache/ Rack::Cache},
-because it already uses the caching proxy {http://varnish.projects.linpro.no/ Varnish}, which we can make use of.
-We will still need it on {http://devcenter.heroku.com/articles/cedar Heroku Cedar}, however, as it doesn't include Varnish.
+The default configuration won't work out of the box for Heroku, because the platform doesn't allow saving files to the filesystem (although it does use tempfiles).
 
 Instead of the normal {file:DataStorage#File\_datastore FileDataStore}, we can use the {file:DataStorage#S3\_datastore S3DataStore}.
 
@@ -51,7 +46,5 @@ From your app's directory:
 
 Replace 'XXXXXXXXX' with your access key and secret.
 
-**NOTE**: HEROKU'S VARNISH CACHE IS CLEARED EVERY TIME YOU DEPLOY!!! (DOESN'T APPLY TO CEDAR STACK)
-
 If this is an issue, you may want to look into storing thumbnails on S3 (see {file:ServingRemotely}), or maybe generating thumbnails _on upload_ (see {file:Models#Up-front_thumbnailing}), or maybe an after-deploy hook for hitting specific Dragonfly urls you want to cache, etc.
 It won't be a problem for most sites though.

data/extra_docs/Rails3.md

@@ -35,7 +35,7 @@ application.rb:
 Gemfile
 -------
 
-    gem 'dragonfly', '~>0.9.14'
+    gem 'dragonfly', '~>0.9.15'
     gem 'rack-cache', :require => 'rack/cache'
 
 Capistrano

data/lib/dragonfly.rb

@@ -31,6 +31,7 @@ end
 
 autoload_files_in_dir["#{File.dirname(__FILE__)}/dragonfly", 'Dragonfly']
 
+require 'dragonfly/version'
 require 'dragonfly/core_ext/object'
 require 'dragonfly/core_ext/array'
 require 'dragonfly/core_ext/hash'

data/lib/dragonfly/app.rb

@@ -52,6 +52,7 @@ module Dragonfly
     configurable_attr :trust_file_extensions, true
     configurable_attr :content_disposition
     configurable_attr :content_filename, Dragonfly::Response::DEFAULT_FILENAME
+    configurable_attr :allow_legacy_urls, true
 
     attr_reader :analyser
     attr_reader :processor

data/lib/dragonfly/job.rb

@@ -175,7 +175,11 @@ module Dragonfly
         array = begin
           Serializer.json_decode(string)
         rescue Serializer::BadString
-          Serializer.marshal_decode(string) # legacy strings
+          if app.allow_legacy_urls
+            Serializer.marshal_decode(string, :check_malicious => true) # legacy strings
+          else
+            raise
+          end
         end
         from_a(array, app)
       end

data/lib/dragonfly/serializer.rb

@@ -25,9 +25,9 @@ module Dragonfly
       b64_encode(Marshal.dump(object))
     end
 
-    def marshal_decode(string)
+    def marshal_decode(string, opts={})
       marshal_string = b64_decode(string)
-      raise MaliciousString, "potentially malicious marshal string #{marshal_string.inspect}" if marshal_string[/@[a-z_]/i]
+      raise MaliciousString, "potentially malicious marshal string #{marshal_string.inspect}" if opts[:check_malicious] && marshal_string[/@[a-z_]/i]
       Marshal.load(marshal_string)
     rescue TypeError, ArgumentError => e
       raise BadString, "couldn't decode #{string} - got #{e}"

data/lib/dragonfly/utils.rb

@@ -22,7 +22,7 @@ module Dragonfly
     end
 
     def uri_escape_segment(string)
-      URI.escape(string).sub('/', '%2F')
+      Rack::Utils.escape_path(string)
     end
 
     def uri_unescape(string)

data/lib/dragonfly/version.rb

@@ -0,0 +1,3 @@
+module Dragonfly
+  VERSION = '0.9.15'
+end

data/spec/dragonfly/job_spec.rb

@@ -548,10 +548,27 @@ describe Dragonfly::Job do
       job = Dragonfly::Job.deserialize("W1siZiIsInNvbWVfdWlkIl1d", @app)
       job.fetch_step.uid.should == 'some_uid'
     end
-    it "works with marshal encoded strings (deprecated)" do
-      job = Dragonfly::Job.deserialize("BAhbBlsHSSIGZgY6BkVUSSINc29tZV91aWQGOwBU", @app)
-      job.fetch_step.uid.should == 'some_uid'
+
+    context 'legacy urls are enabled' do
+      it "works with marshal encoded strings (deprecated)" do
+        job = Dragonfly::Job.deserialize("BAhbBlsHSSIGZgY6BkVUSSINc29tZV91aWQGOwBU", @app)
+        job.fetch_step.uid.should == 'some_uid'
+      end
+
+      it "checks for potentially malicious strings" do
+        string = Dragonfly::Serializer.marshal_encode(Dragonfly::TempObject.new('a'))
+        expect{
+          Dragonfly::Job.deserialize(string, @app)
+        }.to raise_error(Dragonfly::Serializer::MaliciousString)
+      end
     end
+
+    context 'legacy urls are disabled' do
+      it "rejects marshal encoded strings " do
+        @app.allow_legacy_urls = false
+        expect {Dragonfly::Job.deserialize("BAhbBlsHSSIGZgY6BkVUSSINc29tZV91aWQGOwBU", @app)}.to raise_error(Dragonfly::Serializer::BadString)
+      end
+    end    
   end
 
   describe "to_app" do

data/spec/dragonfly/serializer_spec.rb

@@ -66,14 +66,18 @@ describe Dragonfly::Serializer do
       }.should raise_error(Dragonfly::Serializer::BadString)
     end
     describe "potentially harmful strings" do
+      it "doesn't raise if not flagged to check for malicious strings" do
+        class C; end
+        marshal_decode('BAhvOgZDBjoOQF9fc2VuZF9faQY').should be_a(C)
+      end
       ['_', 'hello', 'h2', '__send__', 'F'].each do |variable_name|
-        it "should raise an error if the string passed in is potentially harmful (e.g. contains instance variable #{variable_name})" do
+        it "raises if flagged to check for malicious strings and finds one" do
           class C; end
           c = C.new
           c.instance_eval{ instance_variable_set("@#{variable_name}", 1) }
           string = Dragonfly::Serializer.b64_encode(Marshal.dump(c))
           lambda{
-            marshal_decode(string)
+            marshal_decode(string, :check_malicious => true)
           }.should raise_error(Dragonfly::Serializer::MaliciousString)
         end
       end

data/spec/dragonfly/server_spec.rb

@@ -121,16 +121,6 @@ describe Dragonfly::Server do
         response.headers['X-Cascade'].should be_nil
       end
 
-      it "should return a 404 when the url is malicious" do
-        class C; def initialize; @a = 1; end; end
-        url = "/media/#{Dragonfly::Serializer.marshal_encode(C.new)}"
-        response = request(@server, url)
-        response.status.should == 404
-        response.body.should == 'Not found'
-        response.content_type.should == 'text/plain'
-        response.headers['X-Cascade'].should be_nil
-      end
-
       it "should return a 403 Forbidden when someone uses fetch_file" do
         response = request(@server, "/media/#{@app.fetch_file('/some/file.txt').serialize}")
         response.status.should == 403

data/spec/dragonfly/url_mapper_spec.rb

@@ -122,7 +122,7 @@ describe Dragonfly::UrlMapper do
       '/media/asdf.egg' =>       {'job' => 'asdf', 'basename' => nil,     'format' => 'egg'},
       '/media/asdf/stuff/egg' => nil,
       '/media/asdf/stuff.dog.egg' => {'job' => 'asdf', 'basename' => 'stuff.dog', 'format' => 'egg'},
-      '/media/asdf/s=2+-.d.e' => {'job' => 'asdf', 'basename' => 's=2+-.d', 'format' => 'e'},
+      '/media/asdf/s%3D2%2B-.d.e' => {'job' => 'asdf', 'basename' => 's=2+-.d', 'format' => 'e'},
       '/media/asdf-40x40/stuff.egg' => nil,
       '/media/a%23c' => {'job' => 'a#c', 'basename' => nil, 'format' => nil}
     }.each do |path, params|

data/spec/functional/urls_spec.rb

@@ -21,8 +21,8 @@ describe "urls" do
   end
 
   it "blows up if it detects bad objects" do
-    url = "/BAhvOgZDBjoLQHRoaW5nSSIId2VlBjoGRVQ"
-    Dragonfly::Response.should_not_receive(:new)
+    url = "/BAhvOhpEcmFnb25mbHk6OlRlbXBPYmplY3QIOgpAZGF0YUkiCWJsYWgGOgZFVDoXQG9yaWdpbmFsX2ZpbGVuYW1lMDoKQG1ldGF7AA"
+    Dragonfly::Job.should_not_receive(:from_a)
     response = request(app, url)
     response.status.should == 404
   end
@@ -38,4 +38,11 @@ describe "urls" do
     job_should_match [["f", "2012/11/03/17_38_08_578__MG_5899_.jpg"], ["p", "thumb", "450x450>"]]
     response = request(app, url)
   end
+
+  it "works with potentially tricky url characters for the url" do
+    url = app.fetch('uid []=~/+').url(:basename => 'name []=~/+')
+    url.should =~ %r(^/[\w%]+/name%20%5B%5D%3D%7E%2F%2B$)
+    job_should_match [["f", "uid []=~/+"]]
+    response = request(app, url)
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dragonfly
 version: !ruby/object:Gem::Version
-  version: 0.9.14
+  version: 0.9.15
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-13 00:00:00.000000000 Z
+date: 2013-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -107,22 +107,6 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: jeweler
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.5.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.5.2
 - !ruby/object:Gem::Dependency
   name: fog
   requirement: !ruby/object:Gem::Requirement
@@ -341,6 +325,7 @@ extra_rdoc_files:
 - LICENSE
 - README.md
 files:
+- .gitignore
 - .rspec
 - .yardopts
 - Gemfile
@@ -348,7 +333,6 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- VERSION
 - config.ru
 - docs.watchr
 - dragonfly.gemspec
@@ -452,6 +436,7 @@ files:
 - lib/dragonfly/url_attributes.rb
 - lib/dragonfly/url_mapper.rb
 - lib/dragonfly/utils.rb
+- lib/dragonfly/version.rb
 - samples/DSC02119.JPG
 - samples/a.jp2
 - samples/beach.jpg
@@ -528,9 +513,6 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: -1610166145286138499
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -543,4 +525,60 @@ rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Ideal gem for handling attachments in Rails, Sinatra and Rack applications.
-test_files: []
+test_files:
+- features/images.feature
+- features/no_processing.feature
+- features/rails.feature
+- features/steps/common_steps.rb
+- features/steps/dragonfly_steps.rb
+- features/steps/rails_steps.rb
+- features/support/env.rb
+- features/support/setup.rb
+- spec/dragonfly/active_model_extensions/model_spec.rb
+- spec/dragonfly/active_model_extensions/spec_helper.rb
+- spec/dragonfly/analyser_spec.rb
+- spec/dragonfly/analysis/file_command_analyser_spec.rb
+- spec/dragonfly/app_spec.rb
+- spec/dragonfly/configurable_spec.rb
+- spec/dragonfly/cookie_monster_spec.rb
+- spec/dragonfly/core_ext/array_spec.rb
+- spec/dragonfly/core_ext/hash_spec.rb
+- spec/dragonfly/data_storage/couch_data_store_spec.rb
+- spec/dragonfly/data_storage/file_data_store_spec.rb
+- spec/dragonfly/data_storage/mongo_data_store_spec.rb
+- spec/dragonfly/data_storage/s3_data_store_spec.rb
+- spec/dragonfly/data_storage/shared_data_store_examples.rb
+- spec/dragonfly/function_manager_spec.rb
+- spec/dragonfly/has_filename_spec.rb
+- spec/dragonfly/hash_with_css_style_keys_spec.rb
+- spec/dragonfly/image_magick/analyser_spec.rb
+- spec/dragonfly/image_magick/encoder_spec.rb
+- spec/dragonfly/image_magick/generator_spec.rb
+- spec/dragonfly/image_magick/processor_spec.rb
+- spec/dragonfly/job_builder_spec.rb
+- spec/dragonfly/job_definitions_spec.rb
+- spec/dragonfly/job_endpoint_spec.rb
+- spec/dragonfly/job_spec.rb
+- spec/dragonfly/loggable_spec.rb
+- spec/dragonfly/middleware_spec.rb
+- spec/dragonfly/routed_endpoint_spec.rb
+- spec/dragonfly/serializer_spec.rb
+- spec/dragonfly/server_spec.rb
+- spec/dragonfly/shell_spec.rb
+- spec/dragonfly/simple_cache_spec.rb
+- spec/dragonfly/temp_object_spec.rb
+- spec/dragonfly/url_attributes.rb
+- spec/dragonfly/url_mapper_spec.rb
+- spec/functional/deprecations_spec.rb
+- spec/functional/image_magick_app_spec.rb
+- spec/functional/model_urls_spec.rb
+- spec/functional/remote_on_the_fly_spec.rb
+- spec/functional/shell_commands_spec.rb
+- spec/functional/to_response_spec.rb
+- spec/functional/urls_spec.rb
+- spec/spec_helper.rb
+- spec/support/argument_matchers.rb
+- spec/support/image_matchers.rb
+- spec/support/simple_matchers.rb
+- spec/test_imagemagick.ru
+has_rdoc: 

data/VERSION

@@ -1 +0,0 @@
-0.9.14