RubyGems - fleximage - Versions diffs - 1.0.1 → 1.0.2 - Mend

fleximage 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

data/CHANGELOG.rdoc +14 -0
data/VERSION +1 -1
data/fleximage.gemspec +4 -3
data/lib/fleximage/model.rb +28 -6
data/test/rails_root/db/migrate/001_create_photo_files.rb +1 -0
data/test/unit/basic_model_test.rb +7 -1
data/test/unit/image_directory_option_test.rb +2 -0
data/test/unit/magic_columns_test.rb +4 -0
data/test/unit/temp_image_test.rb +6 -0
metadata +6 -2

data/CHANGELOG.rdoc ADDED Viewed

@@ -0,0 +1,14 @@
+== fleximage 1.0.2 12-14-2009
+* Don't prepend RAILS_ROOT to absolute image directory path
+* Added support for an "image_format" magic database column
+* Fixed an issue with saving temp images in Windows
+* Fixed a temp image vulnerability with directory traversal
+== fleximage 1.0.1 12-13-2009
+* Now with completely passing tests
+== fleximage 1.0.0 12-13-2009
+* Initial gem release.

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.0.1
1	+ 1.0.2

data/fleximage.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = %q{fleximage}
-  s.version = "1.0.1"
+  s.version = "1.0.2"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Alex Wayne", "Andrew White", "JJ Buckley", "Jason Lee", "Joshua Abbott", "Lo\303\257c Guitaut", "Martin Vielsmaier", "Squeegy", "Vannoy"]
-  s.date = %q{2009-12-13}
+  s.authors = ["Alex Wayne", "Andrew White", "JJ Buckley", "Jason Lee", "Joshua Abbott", "Koji Ando", "Kouhei Sutou", "Lasse Jansen", "Lo\303\257c Guitaut", "Martin Vielsmaier", "Squeegy", "Vannoy"]
+  s.date = %q{2009-12-14}
   s.description = %q{Fleximage is a Rails plugin that tries to make image uploading and rendering
 super easy.
 }
@@ -19,6 +19,7 @@ super easy.
   ]
   s.files = [
     ".gitignore",
+     "CHANGELOG.rdoc",
      "MIT-LICENSE",
      "README.rdoc",
      "Rakefile",

data/lib/fleximage/model.rb CHANGED Viewed

@@ -269,10 +269,11 @@ module Fleximage
       #
       #   @some_image.directory_path #=> /var/www/myapp/uploaded_images/2008/3/30
       def directory_path
-        raise 'No image directory was defined, cannot generate path' unless self.class.image_directory
+        directory = self.class.image_directory
+        raise 'No image directory was defined, cannot generate path' unless directory
         # base directory
-        directory = "#{RAILS_ROOT}/#{self.class.image_directory}"
+        directory = "#{RAILS_ROOT}/#{directory}" unless /^\// =~ directory
         # specific creation date based directory suffix.
         creation = self[:created_at] || self[:created_on]
@@ -287,9 +288,28 @@ module Fleximage
       #
       #   @some_image.file_path #=> /var/www/myapp/uploaded_images/123.png
       def file_path
-        "#{directory_path}/#{id}.#{self.class.image_storage_format}"
+        "#{directory_path}/#{id}.#{extension}"
+      end
+      # Returns original format of the image if the image_format column exists
+      # otherwise returns the globally set format.
+      def extension
+        if self.respond_to?( :image_format)
+          case image_format
+          when "JPEG"
+            "jpg"
+          else
+            image_format ? image_format.downcase : self.class.image_storage_format
+          end
+        else
+          self.class.image_storage_format
+        end
       end
+      def url_format
+        extension.to_sym
+      end
       # Sets the image file for this record to an uploaded file.  This can
       # be called directly, or passively like from an ActiveRecord mass
       # assignment.
@@ -405,7 +425,7 @@ module Fleximage
       # uploaded.  Use as a hidden field in your forms to keep an uploaded image when
       # validation fails and the form needs to be redisplayed
       def image_file_temp=(file_name)
-        if !@uploaded_image && file_name && file_name.present?
+        if !@uploaded_image && file_name && file_name.present? && file_name !~ %r{\.\./}
           @image_file_temp = file_name
           file_path = "#{RAILS_ROOT}/tmp/fleximage/#{file_name}"
@@ -574,7 +594,7 @@ module Fleximage
             perform_preprocess_operation
             # Convert to storage format
-            @uploaded_image.format = self.class.image_storage_format.to_s.upcase
+            @uploaded_image.format = self.class.image_storage_format.to_s.upcase unless respond_to?(:image_format)
             # Write image data to the DB field
             if self.class.db_store?
@@ -623,6 +643,7 @@ module Fleximage
             self.image_filename = nil if respond_to?(:image_filename=)
             self.image_width    = nil if respond_to?(:image_width=)
             self.image_height   = nil if respond_to?(:image_height=)
+            self.image_format   = nil if respond_to?(:image_format=)
           end
         end
@@ -635,6 +656,7 @@ module Fleximage
           end
           self.image_width    = @uploaded_image.columns if self.respond_to?(:image_width=)
           self.image_height   = @uploaded_image.rows    if self.respond_to?(:image_height=)
+          self.image_format   = @uploaded_image.format  if self.respond_to?(:image_format=)
         end
         # Save the image in the rails tmp directory
@@ -643,7 +665,7 @@ module Fleximage
           @image_file_temp = Time.now.to_f.to_s.sub('.', '_')
           path = "#{RAILS_ROOT}/tmp/fleximage"
           FileUtils.mkdir_p(path)
-          File.open("#{path}/#{@image_file_temp}", 'w') do |f|
+          File.open("#{path}/#{@image_file_temp}", 'wb') do |f|
             file.rewind
             f.write file.read
           end

data/test/rails_root/db/migrate/001_create_photo_files.rb CHANGED Viewed

@@ -4,6 +4,7 @@ class CreatePhotoFiles < ActiveRecord::Migration
       t.string :image_filename
       t.integer :image_width
       t.integer :image_height
+      t.string  :image_format
       t.timestamps
     end

data/test/unit/basic_model_test.rb CHANGED Viewed

@@ -11,7 +11,6 @@ class FleximageBasicModelTest < Test::Unit::TestCase
     assert_equal "#{RAILS_ROOT}/public/uploads/#{Time.now.year}/#{Time.now.month}/#{Time.now.day}", p.directory_path
   end
   def test_should_have_correct_file_path_without_creation_date_based_storage
     PhotoBare.use_creation_date_based_directories = false
     p = PhotoBare.create(:image_file => files(:photo))
@@ -27,4 +26,11 @@ class FleximageBasicModelTest < Test::Unit::TestCase
   ensure
     PhotoBare.use_creation_date_based_directories = true
   end
+  def test_should_not_prepend_rails_root_to_absolute_path
+    PhotoBare.image_directory = '/tmp'
+    PhotoBare.use_creation_date_based_directories = false
+    p = PhotoBare.create(:image_file => files(:photo))
+    assert_equal '/tmp', p.directory_path
+  end
 end

data/test/unit/image_directory_option_test.rb CHANGED Viewed

@@ -2,12 +2,14 @@ require File.dirname(__FILE__) + '/../../test/test_helper'
 class FleximageImageDirectoryOptionTest < Test::Unit::TestCase
   def test_should_store_in_default_image_directory
+    PhotoBare.use_creation_date_based_directories = true
     p = PhotoBare.create(:image_file => files(:photo))
     assert_match %r{public/uploads/\d+/\d+/\d+/\d+}, p.file_path
     assert File.exists?(p.file_path)
   end
   def test_should_set_image_directory
+    PhotoBare.use_creation_date_based_directories = true
     PhotoBare.image_directory = 'public/uploads/foo'
     p = PhotoBare.create(:image_file => files(:photo))
     assert_match %r{public/uploads/foo/\d+/\d+/\d+/\d+}, p.file_path

data/test/unit/magic_columns_test.rb CHANGED Viewed

@@ -6,6 +6,8 @@ class FleximageMagicColumnsTest < Test::Unit::TestCase
     assert_equal 'photo.jpg', p.image_filename
     assert_equal 1024,  p.image_height
     assert_equal 768,   p.image_width
+    assert_equal 'JPEG', p.image_format
+    assert_equal 'jpg', p.extension
   end
   def test_should_save_data_in_magic_columns_from_url
@@ -13,6 +15,8 @@ class FleximageMagicColumnsTest < Test::Unit::TestCase
     assert_equal files(:web_photo), p.image_filename
     assert_equal 110,   p.image_height
     assert_equal 276,   p.image_width
+    assert_equal 'GIF', p.image_format
+    assert_equal 'gif', p.extension
   rescue SocketError
     print '!'
   end

data/test/unit/temp_image_test.rb CHANGED Viewed

@@ -14,4 +14,10 @@ class FleximageTempImageTest < Test::Unit::TestCase
     assert File.exists?(a2.file_path)
     assert !File.exists?("#{RAILS_ROOT}/tmp/fleximage/#{temp_file_path}")
   end
+  def test_should_prevent_directory_traversal_attacks
+    a1 = Avatar.new(:image_file_temp => '../fleximage/photo.jpg')
+    assert !a1.save
+    assert_equal nil, a1.image_file_temp
+  end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fleximage
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Alex Wayne
@@ -9,6 +9,9 @@ authors:
 - JJ Buckley
 - Jason Lee
 - Joshua Abbott
+- Koji Ando
+- Kouhei Sutou
+- Lasse Jansen
 - "Lo\xC3\xAFc Guitaut"
 - Martin Vielsmaier
 - Squeegy
@@ -17,7 +20,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2009-12-13 00:00:00 -08:00
+date: 2009-12-14 00:00:00 -08:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -63,6 +66,7 @@ extra_rdoc_files:
 - README.rdoc
 files:
 - .gitignore
+- CHANGELOG.rdoc
 - MIT-LICENSE
 - README.rdoc
 - Rakefile