RubyGems - paperclip - Versions diffs - 4.2.1 → 4.2.2 - Mend

paperclip 4.2.1 → 4.2.2

Potentially problematic release.

This version of paperclip might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +4 -4
data/NEWS +4 -0
data/lib/paperclip/locales/en.yml +1 -1
data/lib/paperclip/media_type_spoof_detector.rb +37 -17
data/lib/paperclip/validators/media_type_spoof_detection_validator.rb +1 -1
data/lib/paperclip/version.rb +1 -1
data/spec/paperclip/media_type_spoof_detector_spec.rb +10 -0
data/spec/paperclip/validators/media_type_spoof_detection_validator_spec.rb +1 -1
metadata +4 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bfce4dd35d4417bbc321b3f2ca5c3a9fada39009
-  data.tar.gz: dde01d703ee5317817ebf0ba0758246cee52c5cc
+  metadata.gz: fa18c86bf030ee0f661dc1161c300704284df4ea
+  data.tar.gz: e6e4a743830550b454d82f8790cda44dadbff165
 SHA512:
-  metadata.gz: f629145edb2b10631f4b7364bd5384f637c8982843ac3d3978446997fe59915a6cad5284778bab30c662b33c1cd59bef5fd56a0355a69cd7f926584b3e22f387
-  data.tar.gz: 257d0074ad2ac069d17b5f691580a5ff83240722c07525d256370222afee012a4e7e42f578be8d3957c9b1925e1ad81def15fb1454101e1b8d8e1d595805e5ac
+  metadata.gz: 87f896288a2cfa5a420b238029ed57cd469306174552c6bd0cea587f5c9b5431b10afff9b12ffe0b63bbd42249a0928783c9681ac5e93fb1cf9894daed0d7635
+  data.tar.gz: cb3f3bdfc812816830a3533bd6edc690d795ec22279b9e8f7f9b940db7a3db7301924c174129454a4f4cc60b689936c6b4c5ea69aec230f728c3414a14150744

data/NEWS CHANGED

@@ -1,3 +1,7 @@
+New in 4.2.2:
+* Security fix: Fix a potential security issue with spoofing
 New in 4.2.1:
 * Improvement: Added `validate_media_type` options to allow/bypass spoof check

data/lib/paperclip/locales/en.yml CHANGED

@@ -2,7 +2,7 @@ en:
   errors:
     messages:
       in_between: "must be in between %{min} and %{max}"
-      spoofed_media_type: "has an extension that does not match its contents"
+      spoofed_media_type: "has contents that are not what they are reported to be"
   number:
     human:

data/lib/paperclip/media_type_spoof_detector.rb CHANGED

@@ -1,18 +1,21 @@
 module Paperclip
   class MediaTypeSpoofDetector
-    def self.using(file, name)
-      new(file, name)
+    def self.using(file, name, content_type)
+      new(file, name, content_type)
     end
-    def initialize(file, name)
+    def initialize(file, name, content_type)
       @file = file
       @name = name
+      @content_type = content_type || ""
     end
     def spoofed?
       if has_name? && has_extension? && media_type_mismatch? && mapping_override_mismatch?
-        Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_file_content_types}), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
+        Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_content_type} from Headers, #{content_types_from_name} from Extension), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
         true
+      else
+        false
       end
     end
@@ -27,35 +30,44 @@ module Paperclip
     end
     def media_type_mismatch?
-      ! supplied_file_media_types.include?(calculated_media_type)
+      supplied_type_mismatch? || calculated_type_mismatch?
+    end
+    def supplied_type_mismatch?
+      supplied_media_type.present? && !media_types_from_name.include?(supplied_media_type)
+    end
+    def calculated_type_mismatch?
+      !media_types_from_name.include?(calculated_media_type)
     end
     def mapping_override_mismatch?
       mapped_content_type != calculated_content_type
     end
-    def supplied_file_media_types
-      @supplied_file_media_types ||= MIME::Types.type_for(@name).collect(&:media_type)
+    def supplied_content_type
+      @content_type
     end
-    def calculated_media_type
-      @calculated_media_type ||= calculated_content_type.split("/").first
+    def supplied_media_type
+      @content_type.split("/").first
     end
-    def supplied_file_content_types
-      @supplied_file_content_types ||= MIME::Types.type_for(@name).collect(&:content_type)
+    def content_types_from_name
+      @content_types_from_name ||= MIME::Types.type_for(@name)
     end
-    def calculated_content_type
-      @calculated_content_type ||= type_from_file_command.chomp
+    def media_types_from_name
+      @media_types_from_name ||= content_types_from_name.collect(&:media_type)
     end
-    def mapped_content_type
-      Paperclip.options[:content_type_mappings][filename_extension]
+    def calculated_content_type
+      @calculated_content_type ||= type_from_file_command.chomp
     end
-    def filename_extension
-      File.extname(@name.to_s.downcase).sub(/^\./, '').to_sym
+    def calculated_media_type
+      @calculated_media_type ||= calculated_content_type.split("/").first
     end
     def type_from_file_command
@@ -65,5 +77,13 @@ module Paperclip
         ""
       end
     end
+    def mapped_content_type
+      Paperclip.options[:content_type_mappings][filename_extension]
+    end
+    def filename_extension
+      File.extname(@name.to_s.downcase).sub(/^\./, '').to_sym
+    end
   end
 end

data/lib/paperclip/validators/media_type_spoof_detection_validator.rb CHANGED

@@ -5,7 +5,7 @@ module Paperclip
     class MediaTypeSpoofDetectionValidator < ActiveModel::EachValidator
       def validate_each(record, attribute, value)
         adapter = Paperclip.io_adapters.for(value)
-        if Paperclip::MediaTypeSpoofDetector.using(adapter, value.original_filename).spoofed?
+        if Paperclip::MediaTypeSpoofDetector.using(adapter, value.original_filename, value.content_type).spoofed?
           record.errors.add(attribute, :spoofed_media_type)
         end
       end

data/lib/paperclip/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Paperclip
-  VERSION = "4.2.1" unless defined? Paperclip::VERSION
+  VERSION = "4.2.2" unless defined? Paperclip::VERSION
 end

data/spec/paperclip/media_type_spoof_detector_spec.rb CHANGED

@@ -43,4 +43,14 @@ describe Paperclip::MediaTypeSpoofDetector do
       Paperclip.options[:content_type_mappings] = {}
     end
   end
+  it "rejects a file if named .html and is as HTML, but we're told JPG" do
+    file = File.open(fixture_file("empty.html"))
+    assert Paperclip::MediaTypeSpoofDetector.using(file, "empty.html", "image/jpg").spoofed?
+  end
+  it "does not reject is content_type is empty but otherwise checks out" do
+    file = File.open(fixture_file("empty.html"))
+    assert ! Paperclip::MediaTypeSpoofDetector.using(file, "empty.html", "").spoofed?
+  end
 end

data/spec/paperclip/validators/media_type_spoof_detection_validator_spec.rb CHANGED

@@ -30,7 +30,7 @@ describe Paperclip::Validators::MediaTypeSpoofDetectionValidator do
     Paperclip::MediaTypeSpoofDetector.stubs(:using).returns(detector)
     @validator.validate(@dummy)
-    assert_equal "has an extension that does not match its contents", @dummy.errors[:avatar].first
+    assert_equal I18n.t("errors.messages.spoofed_media_type"), @dummy.errors[:avatar].first
   end
   it "runs when attachment is dirty" do

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: paperclip
 version: !ruby/object:Gem::Version
-  version: 4.2.1
+  version: 4.2.2
 platform: ruby
 authors:
 - Jon Yurek
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-12-09 00:00:00.000000000 Z
+date: 2015-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -562,7 +562,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - ImageMagick
 rubyforge_project: paperclip
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
 summary: File attachments as attributes for ActiveRecord
@@ -668,3 +668,4 @@ test_files:
 - spec/support/rails_helpers.rb
 - spec/support/test_data.rb
 - spec/support/version_helper.rb
+has_rdoc: