paperclip 4.2.1 → 4.2.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of paperclip might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: bfce4dd35d4417bbc321b3f2ca5c3a9fada39009
4
- data.tar.gz: dde01d703ee5317817ebf0ba0758246cee52c5cc
3
+ metadata.gz: fa18c86bf030ee0f661dc1161c300704284df4ea
4
+ data.tar.gz: e6e4a743830550b454d82f8790cda44dadbff165
5
5
  SHA512:
6
- metadata.gz: f629145edb2b10631f4b7364bd5384f637c8982843ac3d3978446997fe59915a6cad5284778bab30c662b33c1cd59bef5fd56a0355a69cd7f926584b3e22f387
7
- data.tar.gz: 257d0074ad2ac069d17b5f691580a5ff83240722c07525d256370222afee012a4e7e42f578be8d3957c9b1925e1ad81def15fb1454101e1b8d8e1d595805e5ac
6
+ metadata.gz: 87f896288a2cfa5a420b238029ed57cd469306174552c6bd0cea587f5c9b5431b10afff9b12ffe0b63bbd42249a0928783c9681ac5e93fb1cf9894daed0d7635
7
+ data.tar.gz: cb3f3bdfc812816830a3533bd6edc690d795ec22279b9e8f7f9b940db7a3db7301924c174129454a4f4cc60b689936c6b4c5ea69aec230f728c3414a14150744
data/NEWS CHANGED
@@ -1,3 +1,7 @@
1
+ New in 4.2.2:
2
+
3
+ * Security fix: Fix a potential security issue with spoofing
4
+
1
5
  New in 4.2.1:
2
6
 
3
7
  * Improvement: Added `validate_media_type` options to allow/bypass spoof check
@@ -2,7 +2,7 @@ en:
2
2
  errors:
3
3
  messages:
4
4
  in_between: "must be in between %{min} and %{max}"
5
- spoofed_media_type: "has an extension that does not match its contents"
5
+ spoofed_media_type: "has contents that are not what they are reported to be"
6
6
 
7
7
  number:
8
8
  human:
@@ -1,18 +1,21 @@
1
1
  module Paperclip
2
2
  class MediaTypeSpoofDetector
3
- def self.using(file, name)
4
- new(file, name)
3
+ def self.using(file, name, content_type)
4
+ new(file, name, content_type)
5
5
  end
6
6
 
7
- def initialize(file, name)
7
+ def initialize(file, name, content_type)
8
8
  @file = file
9
9
  @name = name
10
+ @content_type = content_type || ""
10
11
  end
11
12
 
12
13
  def spoofed?
13
14
  if has_name? && has_extension? && media_type_mismatch? && mapping_override_mismatch?
14
- Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_file_content_types}), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
15
+ Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_content_type} from Headers, #{content_types_from_name} from Extension), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
15
16
  true
17
+ else
18
+ false
16
19
  end
17
20
  end
18
21
 
@@ -27,35 +30,44 @@ module Paperclip
27
30
  end
28
31
 
29
32
  def media_type_mismatch?
30
- ! supplied_file_media_types.include?(calculated_media_type)
33
+ supplied_type_mismatch? || calculated_type_mismatch?
34
+ end
35
+
36
+ def supplied_type_mismatch?
37
+ supplied_media_type.present? && !media_types_from_name.include?(supplied_media_type)
38
+ end
39
+
40
+ def calculated_type_mismatch?
41
+ !media_types_from_name.include?(calculated_media_type)
31
42
  end
32
43
 
33
44
  def mapping_override_mismatch?
34
45
  mapped_content_type != calculated_content_type
35
46
  end
36
47
 
37
- def supplied_file_media_types
38
- @supplied_file_media_types ||= MIME::Types.type_for(@name).collect(&:media_type)
48
+
49
+ def supplied_content_type
50
+ @content_type
39
51
  end
40
52
 
41
- def calculated_media_type
42
- @calculated_media_type ||= calculated_content_type.split("/").first
53
+ def supplied_media_type
54
+ @content_type.split("/").first
43
55
  end
44
56
 
45
- def supplied_file_content_types
46
- @supplied_file_content_types ||= MIME::Types.type_for(@name).collect(&:content_type)
57
+ def content_types_from_name
58
+ @content_types_from_name ||= MIME::Types.type_for(@name)
47
59
  end
48
60
 
49
- def calculated_content_type
50
- @calculated_content_type ||= type_from_file_command.chomp
61
+ def media_types_from_name
62
+ @media_types_from_name ||= content_types_from_name.collect(&:media_type)
51
63
  end
52
64
 
53
- def mapped_content_type
54
- Paperclip.options[:content_type_mappings][filename_extension]
65
+ def calculated_content_type
66
+ @calculated_content_type ||= type_from_file_command.chomp
55
67
  end
56
68
 
57
- def filename_extension
58
- File.extname(@name.to_s.downcase).sub(/^\./, '').to_sym
69
+ def calculated_media_type
70
+ @calculated_media_type ||= calculated_content_type.split("/").first
59
71
  end
60
72
 
61
73
  def type_from_file_command
@@ -65,5 +77,13 @@ module Paperclip
65
77
  ""
66
78
  end
67
79
  end
80
+
81
+ def mapped_content_type
82
+ Paperclip.options[:content_type_mappings][filename_extension]
83
+ end
84
+
85
+ def filename_extension
86
+ File.extname(@name.to_s.downcase).sub(/^\./, '').to_sym
87
+ end
68
88
  end
69
89
  end
@@ -5,7 +5,7 @@ module Paperclip
5
5
  class MediaTypeSpoofDetectionValidator < ActiveModel::EachValidator
6
6
  def validate_each(record, attribute, value)
7
7
  adapter = Paperclip.io_adapters.for(value)
8
- if Paperclip::MediaTypeSpoofDetector.using(adapter, value.original_filename).spoofed?
8
+ if Paperclip::MediaTypeSpoofDetector.using(adapter, value.original_filename, value.content_type).spoofed?
9
9
  record.errors.add(attribute, :spoofed_media_type)
10
10
  end
11
11
  end
@@ -1,3 +1,3 @@
1
1
  module Paperclip
2
- VERSION = "4.2.1" unless defined? Paperclip::VERSION
2
+ VERSION = "4.2.2" unless defined? Paperclip::VERSION
3
3
  end
@@ -43,4 +43,14 @@ describe Paperclip::MediaTypeSpoofDetector do
43
43
  Paperclip.options[:content_type_mappings] = {}
44
44
  end
45
45
  end
46
+
47
+ it "rejects a file if named .html and is as HTML, but we're told JPG" do
48
+ file = File.open(fixture_file("empty.html"))
49
+ assert Paperclip::MediaTypeSpoofDetector.using(file, "empty.html", "image/jpg").spoofed?
50
+ end
51
+
52
+ it "does not reject is content_type is empty but otherwise checks out" do
53
+ file = File.open(fixture_file("empty.html"))
54
+ assert ! Paperclip::MediaTypeSpoofDetector.using(file, "empty.html", "").spoofed?
55
+ end
46
56
  end
@@ -30,7 +30,7 @@ describe Paperclip::Validators::MediaTypeSpoofDetectionValidator do
30
30
  Paperclip::MediaTypeSpoofDetector.stubs(:using).returns(detector)
31
31
  @validator.validate(@dummy)
32
32
 
33
- assert_equal "has an extension that does not match its contents", @dummy.errors[:avatar].first
33
+ assert_equal I18n.t("errors.messages.spoofed_media_type"), @dummy.errors[:avatar].first
34
34
  end
35
35
 
36
36
  it "runs when attachment is dirty" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: paperclip
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.2.1
4
+ version: 4.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jon Yurek
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-12-09 00:00:00.000000000 Z
11
+ date: 2015-06-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activemodel
@@ -562,7 +562,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
562
562
  requirements:
563
563
  - ImageMagick
564
564
  rubyforge_project: paperclip
565
- rubygems_version: 2.2.2
565
+ rubygems_version: 2.4.5
566
566
  signing_key:
567
567
  specification_version: 4
568
568
  summary: File attachments as attributes for ActiveRecord
@@ -668,3 +668,4 @@ test_files:
668
668
  - spec/support/rails_helpers.rb
669
669
  - spec/support/test_data.rb
670
670
  - spec/support/version_helper.rb
671
+ has_rdoc: