paperclip 4.3.5 → 4.3.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of paperclip might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/NEWS +6 -0
- data/lib/paperclip/media_type_spoof_detector.rb +1 -1
- data/lib/paperclip/version.rb +1 -1
- data/spec/paperclip/media_type_spoof_detector_spec.rb +12 -3
- metadata +2 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ab7608623c35bf152d8a5277f17938d75e29062a
|
|
4
|
+
data.tar.gz: 9522d62f5f590d9022abc2a086c5b1c7387a4eb0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fc30de9ee1182acb5d59ec0f172b5b309b55032fce3b14f466545c3f86d5e4e29deef045673fbd585a5a7a2268ba0172a8a87103135cb5236ace5058ed78fdab
|
|
7
|
+
data.tar.gz: 6a37ffebe6bfd71e8f4c8937adf6a4cafdf31365acd305274a4b38c631ad4ade53a5aa4bc2b1584a0716a3c2a048ddea0212e42edbbe2392f5e69c496b27bad5
|
data/NEWS
CHANGED
|
@@ -1,7 +1,13 @@
|
|
|
1
|
+
4.3.6 (3/13/2016):
|
|
2
|
+
|
|
3
|
+
* Bug Fix: When a spoofed media type is detected, megabytes of mime-types info are added to logs. See https://cwe.mitre.org/data/definitions/779.html.
|
|
4
|
+
|
|
1
5
|
4.3.5 (2/8/2016):
|
|
6
|
+
|
|
2
7
|
* Bug Fix: Remove deprecation warnings for v5.0 for now. Will re-add once the version has landed.
|
|
3
8
|
|
|
4
9
|
4.3.4 (2/2/2016):
|
|
10
|
+
|
|
5
11
|
* Bug Fix: Fix incompatible change from v4.3.3.
|
|
6
12
|
|
|
7
13
|
4.3.3 (1/29/2016):
|
|
@@ -12,7 +12,7 @@ module Paperclip
|
|
|
12
12
|
|
|
13
13
|
def spoofed?
|
|
14
14
|
if has_name? && has_extension? && media_type_mismatch? && mapping_override_mismatch?
|
|
15
|
-
Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_content_type} from Headers, #{content_types_from_name} from Extension), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
|
|
15
|
+
Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_content_type} from Headers, #{content_types_from_name.map(&:to_s)} from Extension), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
|
|
16
16
|
true
|
|
17
17
|
else
|
|
18
18
|
false
|
data/lib/paperclip/version.rb
CHANGED
|
@@ -44,9 +44,18 @@ describe Paperclip::MediaTypeSpoofDetector do
|
|
|
44
44
|
end
|
|
45
45
|
end
|
|
46
46
|
|
|
47
|
-
|
|
48
|
-
file
|
|
49
|
-
|
|
47
|
+
context "file named .html and is as HTML, but we're told JPG" do
|
|
48
|
+
let(:file) { File.open(fixture_file("empty.html")) }
|
|
49
|
+
let(:spoofed?) { Paperclip::MediaTypeSpoofDetector.using(file, "empty.html", "image/jpg").spoofed? }
|
|
50
|
+
|
|
51
|
+
it "rejects the file" do
|
|
52
|
+
assert spoofed?
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
it "logs info about the detected spoof" do
|
|
56
|
+
Paperclip.expects(:log).with('Content Type Spoof: Filename empty.html (image/jpg from Headers, ["text/html"] from Extension), content type discovered from file command: text/html. See documentation to allow this combination.')
|
|
57
|
+
spoofed?
|
|
58
|
+
end
|
|
50
59
|
end
|
|
51
60
|
|
|
52
61
|
it "does not reject if content_type is empty but otherwise checks out" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: paperclip
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.3.
|
|
4
|
+
version: 4.3.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jon Yurek
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-03-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activemodel
|
|
@@ -708,4 +708,3 @@ test_files:
|
|
|
708
708
|
- spec/support/rails_helpers.rb
|
|
709
709
|
- spec/support/test_data.rb
|
|
710
710
|
- spec/support/version_helper.rb
|
|
711
|
-
has_rdoc:
|