paperclip 3.5.4 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 302d782024b65e52c6e3b0f2caefe6c96893fda6
-  data.tar.gz: 11e787c6934c7ff8a44409ba54cc049e7743309c
+  metadata.gz: 748ce579f297e0d58f7ee6e72b2968341af560be
+  data.tar.gz: 47ed54affca1e4c7736eddcb33dfac09763d871d
 SHA512:
-  metadata.gz: 0b7b11bca1472987b99c21656db9dd8f1258180078ca9811c7fa977b2b0897c724b069806a058a936873ddc9aac017c133de8da2f8946952a04f9fbe110571d5
-  data.tar.gz: f52bf9968bbbca1d59237055a66a62acfb882fab61db9060211a2361ce6f01fa3e3b325a622f9e905a4a60f845c7f03595d19e106898e9a6f6b45a2d66964f48
+  metadata.gz: 1337da62c00c9b10e151b8a1efd10b611d92c0601c3471bab99b57acbdf7c532e9714ce271c1bc01dbbc499aa71938ba5865b15ff44f1f68d7c0e919e24d00b8
+  data.tar.gz: e8fe2a23b8bc5fbbfc9e5ead740a42a6ff7ccb93c9cc452e10cd443b510560ac826d6ef1d3a6dcbefe5ce13bf4b8b7799fd7a6f290c26b27874ac166c89d501d

data/Gemfile

@@ -6,3 +6,4 @@ gem 'jruby-openssl', :platform => :jruby
 gem 'activerecord-jdbcsqlite3-adapter', :platform => :jruby
 
 gem 'pry', :platform => :ruby
+gem 'pry-byebug', :platform => :ruby

data/LICENSE

@@ -3,7 +3,7 @@ LICENSE
 
 The MIT License
 
-Copyright (c) 2008-2013 Jon Yurek and thoughtbot, inc.
+Copyright (c) 2008-2014 Jon Yurek and thoughtbot, inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -22,5 +22,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
-
-

data/NEWS

@@ -1,28 +1,32 @@
-New in 3.5.4:
+New in 4.0.0:
 
-Bug Fix: Users were reporting IOErrors. Stop closing extra files to prevent.
+* Security: Attachments are checked to make sure they're not pulling a fast one.
+* Security: It is now *enforced* that every attachment has a file/mime validation.
+* Bug Fix: Removed a call to IOAdapter#close that was causing issues.
+* Improvement: Added bullets to the 3.5.3 list of changes. Very important.
+* Improcement: Updated the copyright to 2014
 
 New in 3.5.3:
 
-Improvement: After three long, hard years... we know how to upgrade
-Bug Fix: #expiring_url returns 'missing' urls if nothing is attached
-Improvement: Lots of documentation fixes
-Improvement: Lots of fixes for Ruby warnings
-Improvement: Test the most appropriate Ruby/Rails comobinations on Travis
-Improvement: Delegate more IO methods through IOAdapters
-Improvement: Remove Rails 4 deprecations
-Improvement: Both S3's and Fog's #expiring_url can take a Time or Int
-Bug Fix: Both S3's and Fog's expiring_url respect style when missing the file
-Bug Fix: Timefiles will have a reasonable-length name. They're all MD5 hashes now
-Bug Fix: Don't delete files off S3 when reprocessing due to AWS inconsistencies
-Bug Fix: "swallow_stream" isn't thread dafe. Use :swallow_stderr
-Improvement: Regexps use \A and \Z instead of ^ and $
-Improvement: :s3_credentials can take a lambda as an argument
-Improvement: Search up the class heirarchy for attachments
-Improvement: deep_merge options instead of regular merge
-Bug Fix: Prevent file deletion on transaction rollback
-Test Improvement: Ensure more files are properly closed during tests
-Test Bug Fix: Return the gemfile's syntax to normal
+* Improvement: After three long, hard years... we know how to upgrade
+* Bug Fix: #expiring_url returns 'missing' urls if nothing is attached
+* Improvement: Lots of documentation fixes
+* Improvement: Lots of fixes for Ruby warnings
+* Improvement: Test the most appropriate Ruby/Rails comobinations on Travis
+* Improvement: Delegate more IO methods through IOAdapters
+* Improvement: Remove Rails 4 deprecations
+* Improvement: Both S3's and Fog's #expiring_url can take a Time or Int
+* Bug Fix: Both S3's and Fog's expiring_url respect style when missing the file
+* Bug Fix: Timefiles will have a reasonable-length name. They're all MD5 hashes now
+* Bug Fix: Don't delete files off S3 when reprocessing due to AWS inconsistencies
+* Bug Fix: "swallow_stream" isn't thread dafe. Use :swallow_stderr
+* Improvement: Regexps use \A and \Z instead of ^ and $
+* Improvement: :s3_credentials can take a lambda as an argument
+* Improvement: Search up the class heirarchy for attachments
+* Improvement: deep_merge options instead of regular merge
+* Bug Fix: Prevent file deletion on transaction rollback
+* Test Improvement: Ensure more files are properly closed during tests
+* Test Bug Fix: Return the gemfile's syntax to normal
 
 New in 3.5.2:
 

data/README.md

@@ -104,6 +104,7 @@ Quick Start
 class User < ActiveRecord::Base
   attr_accessible :avatar
   has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
+  validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
 end
 ```
 
@@ -112,6 +113,7 @@ end
 ```ruby
 class User < ActiveRecord::Base
   has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
+  validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
 end
 ```
 
@@ -302,6 +304,38 @@ validates_attachment :avatar,
 `Paperclip::ContentTypeDetector` will attempt to match a file's extension to an
 inferred content_type, regardless of the actual contents of the file.
 
+Security Validations
+====================
+
+NOTE: Starting at version 4.0.0, all attachments are *required* to include a
+content_type validation, a file_name validation, or to explicitly state that
+they're not going to have either. *Paperclip will raise an error* if you do not
+do this.
+
+```ruby
+class ActiveRecord::Base
+  has_attached_file :avatar
+# Validate content type
+  validates_attachment_content_type :avatar, :content_type => /\Aimage/
+# Validate filename
+  validates_attachment_file_name :avatar, :matches => [/png\Z/, /jpe?g\Z/]
+# Explicitly do not validate
+  do_not_validate_attachment_file_type :avatar
+end
+```
+
+This keeps Paperclip secure-by-default, and will prevent people trying to mess
+with your filesystem.
+
+NOTE: Also starting at version 4.0.0, Paperclip has another validation that
+cannot be turned off. This validation will prevent content type spoofing. That
+is, uploading, say, a PHP document as part of the EXIF tags of a well-formed
+JPEG. This check is limited to the media type (the first part of the MIME type,
+so, 'text' in 'text/plain'). This will prevent HTML documents from being
+uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg
+extension. This validation will only add validation errors to the form. It will
+not cause Errors to be raised.
+
 Defaults
 --------
 Global defaults for all your paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash, this can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file definition.
@@ -754,5 +788,5 @@ The names and logos for thoughtbot are trademarks of thoughtbot, inc.
 License
 -------
 
-Paperclip is Copyright © 2008-2013 thoughtbot, inc. It is free software, and may be
+Paperclip is Copyright © 2008-2014 thoughtbot, inc. It is free software, and may be
 redistributed under the terms specified in the MIT-LICENSE file.

data/features/step_definitions/attachment_steps.rb

@@ -11,8 +11,10 @@ World(AttachmentHelpers)
 
 When /^I modify my attachment definition to:$/ do |definition|
   content = in_current_dir { File.read("app/models/user.rb") }
+  name = content[/has_attached_file :\w+/][/:\w+/]
   content.gsub!(/has_attached_file.+end/m, <<-FILE)
       #{definition}
+      do_not_validate_attachment_file_type #{name}
     end
   FILE
 

data/features/step_definitions/rails_steps.rb

@@ -69,6 +69,7 @@ def attach_attachment(name, definition = nil)
     snippet += ", \n"
     snippet += definition
   end
+  snippet += "\ndo_not_validate_attachment_file_type :#{name}\n"
   in_current_dir do
     transform_file("app/models/user.rb") do |content|
       content.sub(/end\Z/, "#{snippet}\nend")

data/lib/paperclip.rb

@@ -43,6 +43,7 @@ require 'paperclip/attachment'
 require 'paperclip/storage'
 require 'paperclip/callbacks'
 require 'paperclip/file_command_content_type_detector'
+require 'paperclip/media_type_spoof_detector'
 require 'paperclip/content_type_detector'
 require 'paperclip/glue'
 require 'paperclip/errors'

data/lib/paperclip/attachment.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 require 'uri'
 require 'paperclip/url_generator'
+require 'active_support/deprecation'
 
 module Paperclip
   # The Attachment class manages the files for a given attachment. It saves
@@ -93,6 +94,7 @@ module Paperclip
     #   new_user.avatar = old_user.avatar
     def assign uploaded_file
       ensure_required_accessors!
+      ensure_required_validations!
       file = Paperclip.io_adapters.for(uploaded_file)
 
       return nil if not file.assignment?
@@ -166,6 +168,18 @@ module Paperclip
       path.respond_to?(:unescape) ? path.unescape : path
     end
 
+    # :nodoc:
+    def staged_path(style_name = default_style)
+      if staged?
+        @queued_for_write[style_name].path
+      end
+    end
+
+    # :nodoc:
+    def staged?
+      ! @queued_for_write.empty?
+    end
+
     # Alias to +url+
     def to_s style_name = default_style
       url(style_name)
@@ -373,6 +387,16 @@ module Paperclip
       @options[:path].respond_to?(:call) ? @options[:path].call(self) : @options[:path]
     end
 
+    def active_validator_classes
+      @instance.class.validators.map(&:class)
+    end
+
+    def ensure_required_validations!
+      if (active_validator_classes & Paperclip::REQUIRED_VALIDATORS).empty?
+        raise Paperclip::Errors::MissingRequiredValidatorError
+      end
+    end
+
     def ensure_required_accessors! #:nodoc:
       %w(file_name).each do |field|
         unless @instance.respond_to?("#{name}_#{field}") && @instance.respond_to?("#{name}_#{field}=")
@@ -482,7 +506,7 @@ module Paperclip
       end
     end
 
-    # called by storage after the writes are flushed and before @queued_for_writes is cleared
+    # called by storage after the writes are flushed and before @queued_for_write is cleared
     def after_flush_writes
       @queued_for_write.each do |style, file|
         file.close unless file.closed?

data/lib/paperclip/callbacks.rb

@@ -7,7 +7,7 @@ module Paperclip
 
     module Defining
       def define_paperclip_callbacks(*callbacks)
-        define_callbacks *[callbacks, {:terminator => "result == false"}].flatten
+        define_callbacks(*[callbacks, {:terminator => "result == false"}].flatten)
         callbacks.each do |callback|
           eval <<-end_callbacks
             def before_#{callback}(*args, &blk)

data/lib/paperclip/content_type_detector.rb

@@ -32,10 +32,6 @@ module Paperclip
         EMPTY_TYPE
       elsif calculated_type_matches.any?
         calculated_type_matches.first
-      elsif official_type_matches.any?
-        official_type_matches.first
-      elsif unofficial_type_matches.any?
-        unofficial_type_matches.first
       else
         type_from_file_command || SENSIBLE_DEFAULT
       end.to_s
@@ -46,7 +42,7 @@ module Paperclip
     def empty_file?
       File.exists?(@filename) && File.size(@filename) == 0
     end
-    
+
     alias :empty? :empty_file?
 
     def blank_name?
@@ -61,14 +57,6 @@ module Paperclip
       possible_types.select{|content_type| content_type == type_from_file_command }
     end
 
-    def official_type_matches
-      possible_types.reject{|content_type| content_type.match(/\/x-/) }
-    end
-
-    def unofficial_type_matches
-      possible_types.select{|content_type| content_type.match(/\/x-/) }
-    end
-
     def type_from_file_command
       @type_from_file_command ||= FileCommandContentTypeDetector.new(@filename).detect
     end

data/lib/paperclip/errors.rb

@@ -13,6 +13,11 @@ module Paperclip
     class CommandNotFoundError < Paperclip::Error
     end
 
+    # Attachments require a content_type or file_name validator,
+    # or to have explicitly opted out of them.
+    class MissingRequiredValidatorError < Paperclip::Error
+    end
+
     # Will be thrown when ImageMagic cannot determine the uploaded file's
     # metadata, usually this would mean the file is not an image.
     class NotIdentifiedByImageMagickError < Paperclip::Error

data/lib/paperclip/has_attached_file.rb

@@ -18,6 +18,7 @@ module Paperclip
       register_new_attachment
       add_active_record_callbacks
       add_paperclip_callbacks
+      add_required_validations
     end
 
     private
@@ -77,6 +78,10 @@ module Paperclip
       Paperclip::AttachmentRegistry.register(@klass, @name, @options)
     end
 
+    def add_required_validations
+      @klass.validates_media_type_spoof_detection @name
+    end
+
     def add_active_record_callbacks
       name = @name
       @klass.send(:after_save) { send(name).send(:save) }

data/lib/paperclip/io_adapters/abstract_adapter.rb

@@ -34,7 +34,7 @@ module Paperclip
     private
 
     def destination
-      @destination ||= TempfileFactory.new.generate(original_filename)
+      @destination ||= TempfileFactory.new.generate
     end
 
     def copy_to_tempfile(src)

data/lib/paperclip/io_adapters/attachment_adapter.rb

@@ -20,11 +20,11 @@ module Paperclip
       @size = @tempfile.size || @target.size
     end
 
-    def copy_to_tempfile(src)
-      if src.respond_to? :copy_to_local_file
-        src.copy_to_local_file(@style, destination.path)
+    def copy_to_tempfile(source)
+      if source.staged?
+        FileUtils.cp(source.staged_path(@style), destination.path)
       else
-        FileUtils.cp(src.path(@style), destination.path)
+        source.copy_to_local_file(@style, destination.path)
       end
       destination
     end

data/lib/paperclip/io_adapters/data_uri_adapter.rb

@@ -4,19 +4,14 @@ module Paperclip
     REGEXP = /\Adata:([-\w]+\/[-\w\+]+);base64,(.*)/m
 
     def initialize(target_uri)
-      @target_uri = target_uri
-      cache_current_values
-      @tempfile = copy_to_tempfile
+      super(extract_target(target_uri))
     end
 
     private
 
-    def cache_current_values
-      self.original_filename = 'base64.txt'
-      data_uri_parts ||= @target_uri.match(REGEXP) || []
-      @content_type = data_uri_parts[1] || 'text/plain'
-      @target = StringIO.new(Base64.decode64(data_uri_parts[2] || ''))
-      @size = @target.size
+    def extract_target(uri)
+      data_uri_parts = uri.match(REGEXP) || []
+      StringIO.new(Base64.decode64(data_uri_parts[2] || ''))
     end
 
   end

data/lib/paperclip/io_adapters/stringio_adapter.rb

@@ -2,8 +2,8 @@ module Paperclip
   class StringioAdapter < AbstractAdapter
     def initialize(target)
       @target = target
-      cache_current_values
       @tempfile = copy_to_tempfile
+      cache_current_values
     end
 
     attr_writer :content_type
@@ -11,13 +11,10 @@ module Paperclip
     private
 
     def cache_current_values
-      @original_filename = @target.original_filename if @target.respond_to?(:original_filename)
-      @original_filename ||= "stringio.txt"
-      self.original_filename = @original_filename.strip
-
-      @content_type = @target.content_type if @target.respond_to?(:content_type)
-      @content_type ||= "text/plain"
-
+      @content_type = ContentTypeDetector.new(@tempfile.path).detect
+      original_filename = @target.original_filename if @target.respond_to?(:original_filename)
+      original_filename ||= "data.#{extension_for(@content_type)}"
+      self.original_filename = original_filename.strip
       @size = @target.size
     end
 
@@ -29,6 +26,11 @@ module Paperclip
       destination
     end
 
+    def extension_for(content_type)
+      type = MIME::Types[content_type].first
+      type && type.extensions.first
+    end
+
   end
 end
 

data/lib/paperclip/media_type_spoof_detector.rb

@@ -0,0 +1,36 @@
+module Paperclip
+  class MediaTypeSpoofDetector
+    def self.using(file, name)
+      new(file, name)
+    end
+
+    def initialize(file, name)
+      @file = file
+      @name = name
+    end
+
+    def spoofed?
+      if ! @name.blank?
+        ! supplied_file_media_type.include?(calculated_media_type)
+      end
+    end
+
+    private
+
+    def supplied_file_media_type
+      MIME::Types.type_for(@name).collect(&:media_type)
+    end
+
+    def calculated_media_type
+      type_from_file_command.split("/").first
+    end
+
+    def type_from_file_command
+      begin
+        Paperclip.run("file", "-b --mime-type :file", :file => @file.path)
+      rescue Cocaine::CommandLineError
+        ""
+      end
+    end
+  end
+end

data/lib/paperclip/tempfile_factory.rb

@@ -1,7 +1,7 @@
 module Paperclip
   class TempfileFactory
 
-    def generate(name)
+    def generate(name = random_name)
       @name = name
       file = Tempfile.new([basename, extension])
       file.binmode
@@ -15,5 +15,9 @@ module Paperclip
     def basename
       Digest::MD5.hexdigest(File.basename(@name, extension))
     end
+
+    def random_name
+      SecureRandom.uuid
+    end
   end
 end