paperclip 4.0.0 → 4.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of paperclip might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +1 -1
- data/NEWS +9 -1
- data/README.md +10 -6
- data/lib/paperclip.rb +6 -5
- data/lib/paperclip/io_adapters/data_uri_adapter.rb +1 -1
- data/lib/paperclip/media_type_spoof_detector.rb +30 -5
- data/lib/paperclip/style.rb +7 -1
- data/lib/paperclip/thumbnail.rb +4 -1
- data/lib/paperclip/version.rb +1 -1
- data/test/io_adapters/data_uri_adapter_test.rb +5 -0
- data/test/media_type_spoof_detector_test.rb +13 -0
- data/test/style_test.rb +38 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d56fec1091044497580e29573ce29fcf2f67ecc9
|
|
4
|
+
data.tar.gz: d54575168a2aa162c760bae6a3a0a8246db6566b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: debcaa74f90f8d01bab69a66b721e3b15bc1532584afb3be685259c4a7b565041362fe30df0fda7d747974c3e4195af3cf372bcbf7253e2f729c2cff8934eaf7
|
|
7
|
+
data.tar.gz: a80c28c4168be7c12d20b11f2de4b077756f4b4bf46bbd005d53e142aa0e61f769a16f8872847853500b43256b6444071c824dde06d475f2823c17f1402c2536
|
data/.travis.yml
CHANGED
data/NEWS
CHANGED
|
@@ -1,10 +1,18 @@
|
|
|
1
|
+
New in 4.1.0:
|
|
2
|
+
|
|
3
|
+
* Improvement: Add :content_type_mappings to correct for missing spoof types
|
|
4
|
+
* Improvement: Credit Egor Homakov with discovering the content_type spoof bug
|
|
5
|
+
* Improvement: Memoize calls to identify in the thumbnail processor
|
|
6
|
+
* Improvement: Make MIME type optional for Data URIs.
|
|
7
|
+
* Improvement: Add default format for styles
|
|
8
|
+
|
|
1
9
|
New in 4.0.0:
|
|
2
10
|
|
|
3
11
|
* Security: Attachments are checked to make sure they're not pulling a fast one.
|
|
4
12
|
* Security: It is now *enforced* that every attachment has a file/mime validation.
|
|
5
13
|
* Bug Fix: Removed a call to IOAdapter#close that was causing issues.
|
|
6
14
|
* Improvement: Added bullets to the 3.5.3 list of changes. Very important.
|
|
7
|
-
*
|
|
15
|
+
* Improvement: Updated the copyright to 2014
|
|
8
16
|
|
|
9
17
|
New in 3.5.3:
|
|
10
18
|
|
data/README.md
CHANGED
|
@@ -307,6 +307,10 @@ inferred content_type, regardless of the actual contents of the file.
|
|
|
307
307
|
Security Validations
|
|
308
308
|
====================
|
|
309
309
|
|
|
310
|
+
Thanks to a report from [Egor Homakov](http://homakov.blogspot.com/) we have
|
|
311
|
+
taken steps to prevent people from spoofing Content-Types and getting data
|
|
312
|
+
you weren't expecting onto your server.
|
|
313
|
+
|
|
310
314
|
NOTE: Starting at version 4.0.0, all attachments are *required* to include a
|
|
311
315
|
content_type validation, a file_name validation, or to explicitly state that
|
|
312
316
|
they're not going to have either. *Paperclip will raise an error* if you do not
|
|
@@ -329,12 +333,12 @@ with your filesystem.
|
|
|
329
333
|
|
|
330
334
|
NOTE: Also starting at version 4.0.0, Paperclip has another validation that
|
|
331
335
|
cannot be turned off. This validation will prevent content type spoofing. That
|
|
332
|
-
is, uploading
|
|
333
|
-
JPEG. This check is limited to the media type (the first part of the
|
|
334
|
-
so, 'text' in 'text/plain'). This will prevent HTML documents from
|
|
335
|
-
uploaded as JPEGs, but will not prevent GIFs from being uploaded with a
|
|
336
|
-
extension. This validation will only add validation errors to the form. It
|
|
337
|
-
not cause Errors to be raised.
|
|
336
|
+
is, uploading a PHP document (for example) as part of the EXIF tags of a
|
|
337
|
+
well-formed JPEG. This check is limited to the media type (the first part of the
|
|
338
|
+
MIME type, so, 'text' in 'text/plain'). This will prevent HTML documents from
|
|
339
|
+
being uploaded as JPEGs, but will not prevent GIFs from being uploaded with a
|
|
340
|
+
.jpg extension. This validation will only add validation errors to the form. It
|
|
341
|
+
will not cause Errors to be raised.
|
|
338
342
|
|
|
339
343
|
Defaults
|
|
340
344
|
--------
|
data/lib/paperclip.rb
CHANGED
|
@@ -77,12 +77,13 @@ module Paperclip
|
|
|
77
77
|
# nil, which uses the first executable found in the user's search path.
|
|
78
78
|
def self.options
|
|
79
79
|
@options ||= {
|
|
80
|
-
:whiny
|
|
80
|
+
:whiny => true,
|
|
81
81
|
:image_magick_path => nil,
|
|
82
|
-
:command_path
|
|
83
|
-
:log
|
|
84
|
-
:log_command
|
|
85
|
-
:swallow_stderr
|
|
82
|
+
:command_path => nil,
|
|
83
|
+
:log => true,
|
|
84
|
+
:log_command => true,
|
|
85
|
+
:swallow_stderr => true,
|
|
86
|
+
:content_type_mappings => {}
|
|
86
87
|
}
|
|
87
88
|
end
|
|
88
89
|
|
|
@@ -10,19 +10,44 @@ module Paperclip
|
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def spoofed?
|
|
13
|
-
if
|
|
14
|
-
|
|
13
|
+
if @name.present? && media_type_mismatch? && mapping_override_mismatch?
|
|
14
|
+
Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_file_content_types}), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
|
|
15
|
+
true
|
|
15
16
|
end
|
|
16
17
|
end
|
|
17
18
|
|
|
18
19
|
private
|
|
19
20
|
|
|
20
|
-
def
|
|
21
|
-
|
|
21
|
+
def media_type_mismatch?
|
|
22
|
+
! supplied_file_media_types.include?(calculated_media_type)
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def mapping_override_mismatch?
|
|
26
|
+
mapped_content_type != calculated_content_type
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def supplied_file_media_types
|
|
30
|
+
@supplied_file_media_types ||= MIME::Types.type_for(@name).collect(&:media_type)
|
|
22
31
|
end
|
|
23
32
|
|
|
24
33
|
def calculated_media_type
|
|
25
|
-
|
|
34
|
+
@calculated_media_type ||= calculated_content_type.split("/").first
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def supplied_file_content_types
|
|
38
|
+
@supplied_file_content_types ||= MIME::Types.type_for(@name).collect(&:content_type)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def calculated_content_type
|
|
42
|
+
@calculated_content_type ||= type_from_file_command.chomp
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def mapped_content_type
|
|
46
|
+
Paperclip.options[:content_type_mappings][filename_extension]
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def filename_extension
|
|
50
|
+
File.extname(@name.to_s.downcase).sub(/^\./, '').to_sym
|
|
26
51
|
end
|
|
27
52
|
|
|
28
53
|
def type_from_file_command
|
data/lib/paperclip/style.rb
CHANGED
|
@@ -29,7 +29,7 @@ module Paperclip
|
|
|
29
29
|
@geometry, @format = [definition, nil].flatten[0..1]
|
|
30
30
|
@other_args = {}
|
|
31
31
|
end
|
|
32
|
-
@format
|
|
32
|
+
@format = default_format if @format.blank?
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
# retrieves from the attachment the processors defined in the has_attached_file call
|
|
@@ -99,5 +99,11 @@ module Paperclip
|
|
|
99
99
|
end
|
|
100
100
|
end
|
|
101
101
|
|
|
102
|
+
# defaults to default format (nil by default)
|
|
103
|
+
def default_format
|
|
104
|
+
base = attachment.options[:default_format]
|
|
105
|
+
base.respond_to?(:call) ? base.call(attachment, name) : base
|
|
106
|
+
end
|
|
107
|
+
|
|
102
108
|
end
|
|
103
109
|
end
|
data/lib/paperclip/thumbnail.rb
CHANGED
|
@@ -109,7 +109,10 @@ module Paperclip
|
|
|
109
109
|
|
|
110
110
|
# Return true if ImageMagick's +identify+ returns an animated format
|
|
111
111
|
def identified_as_animated?
|
|
112
|
-
|
|
112
|
+
if @identified_as_animated.nil?
|
|
113
|
+
@identified_as_animated = ANIMATED_FORMATS.include? identify("-format %m :file", :file => "#{@file.path}[0]").to_s.downcase.strip
|
|
114
|
+
end
|
|
115
|
+
@identified_as_animated
|
|
113
116
|
rescue Cocaine::ExitStatusError => e
|
|
114
117
|
raise Paperclip::Error, "There was an error running `identify` for #{@basename}" if @whiny
|
|
115
118
|
rescue Cocaine::CommandNotFoundError => e
|
data/lib/paperclip/version.rb
CHANGED
|
@@ -8,6 +8,11 @@ class DataUriAdapterTest < Test::Unit::TestCase
|
|
|
8
8
|
end
|
|
9
9
|
end
|
|
10
10
|
|
|
11
|
+
should 'allow a missing mime-type' do
|
|
12
|
+
adapter = Paperclip.io_adapters.for("data:;base64,#{original_base64_content}")
|
|
13
|
+
assert_equal Paperclip::DataUriAdapter, adapter.class
|
|
14
|
+
end
|
|
15
|
+
|
|
11
16
|
context "a new instance" do
|
|
12
17
|
setup do
|
|
13
18
|
@contents = "data:image/png;base64,#{original_base64_content}"
|
|
@@ -25,4 +25,17 @@ class MediaTypeSpoofDetectorTest < Test::Unit::TestCase
|
|
|
25
25
|
adapter = Paperclip.io_adapters.for(File.new(fixture_file("5k.png")))
|
|
26
26
|
assert ! Paperclip::MediaTypeSpoofDetector.using(adapter, adapter.original_filename).spoofed?
|
|
27
27
|
end
|
|
28
|
+
|
|
29
|
+
should 'not reject when the extension => content_type is in :content_type_mappings' do
|
|
30
|
+
begin
|
|
31
|
+
Paperclip.options[:content_type_mappings] = { pem: "text/plain" }
|
|
32
|
+
file = Tempfile.open(["test", ".PEM"])
|
|
33
|
+
file.puts "Certificate!"
|
|
34
|
+
file.close
|
|
35
|
+
adapter = Paperclip.io_adapters.for(File.new(file.path));
|
|
36
|
+
assert ! Paperclip::MediaTypeSpoofDetector.using(adapter, adapter.original_filename).spoofed?
|
|
37
|
+
ensure
|
|
38
|
+
Paperclip.options[:content_type_mappings] = {}
|
|
39
|
+
end
|
|
40
|
+
end
|
|
28
41
|
end
|
data/test/style_test.rb
CHANGED
|
@@ -210,4 +210,42 @@ class StyleTest < Test::Unit::TestCase
|
|
|
210
210
|
assert_equal "-do_extra_stuff", @attachment.styles[:large].processor_options[:source_file_options]
|
|
211
211
|
end
|
|
212
212
|
end
|
|
213
|
+
|
|
214
|
+
context "A style rule supplied with default format" do
|
|
215
|
+
setup do
|
|
216
|
+
@attachment = attachment :default_format => :png,
|
|
217
|
+
:styles => {
|
|
218
|
+
:asstring => "300x300#",
|
|
219
|
+
:aslist => ["300x300#", :jpg],
|
|
220
|
+
:ashash => {
|
|
221
|
+
:geometry => "300x300#",
|
|
222
|
+
:convert_options => "-do_stuff"
|
|
223
|
+
}
|
|
224
|
+
}
|
|
225
|
+
end
|
|
226
|
+
|
|
227
|
+
should "have the right number of styles" do
|
|
228
|
+
assert_kind_of Hash, @attachment.styles
|
|
229
|
+
assert_equal 3, @attachment.styles.size
|
|
230
|
+
end
|
|
231
|
+
|
|
232
|
+
should "have styles as Style objects" do
|
|
233
|
+
[:aslist, :ashash, :aslist].each do |s|
|
|
234
|
+
assert_kind_of Paperclip::Style, @attachment.styles[s]
|
|
235
|
+
end
|
|
236
|
+
end
|
|
237
|
+
|
|
238
|
+
should "have the right geometries" do
|
|
239
|
+
[:aslist, :ashash, :aslist].each do |s|
|
|
240
|
+
assert_equal @attachment.styles[s].geometry, "300x300#"
|
|
241
|
+
end
|
|
242
|
+
end
|
|
243
|
+
|
|
244
|
+
should "have the right formats" do
|
|
245
|
+
assert_equal @attachment.styles[:aslist].format, :jpg
|
|
246
|
+
assert_equal @attachment.styles[:ashash].format, :png
|
|
247
|
+
assert_equal @attachment.styles[:asstring].format, :png
|
|
248
|
+
end
|
|
249
|
+
|
|
250
|
+
end
|
|
213
251
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: paperclip
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jon Yurek
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-02-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activemodel
|