Fix a possible security issue with spoofing #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
update README.me: add missing 'end'
Before the error message was sometimes millions of characters long. > [paperclip] Content Type Spoof: Filename a.csv > (application/octet-stream from Headers, > [#<MIME::Type::Columnar:0x007f9f90f89fa8 > @container=#<MIME::Types:0x007f9f90b09d98 ... snip millions of > characters of output here ...>], @content_type="text/csv", > @raw_media_type="text", @raw_sub_type="csv", @simplified="text/csv", > @i18n_key="text.csv", @media_type="text", @sub_type="csv", > @extensions=["csv"]>] from Extension), content type discovered from > file command: application/zip. See documentation to allow this > combination. Now becomes: > [paperclip] Content Type Spoof: Filename a.csv > (application/octet-stream from Headers, > ["text/comma-separated-values", "text/csv"] from Extension), content > type discovered from file command: application/zip. See documentation > to allow this combination. [fixes thoughtbot#2017]
Add context from: thoughtbot#2021 [ci skip]
added the comma in line 54
* Regression fix * Add specs for intermediate_files var in Paperclip::Attachment [fixes thoughtbot#1908]
by using the attachment name (symbol) and Class as keys we reduce the number of Strings created before hitting the cache
this commit primarily uses frozen strings to reduce object creation during interpolation. the :basename method now uses File.basename(file, ".*") rather than a Regexp. basename may be called multiple times.
the name string is used multiple times in interpolation so storing it reduces object creation
something in aruba 0.10.x is breaking the cucumber specs
Resolve broken CI tests due to upstream gem changes
Inspected by https://github.com/dkhamsing/frankenstein [ci skip]
something in aruba 0.10.x is breaking the cucumber specs
…g_v4.3 Cache interpolator methods and reduce memory allocations - rebased on v4.3
Includes memory usage adjustments. Conflicts: lib/paperclip/storage/s3.rb
Fix merge problem with S3 storage
Update README with version requirement for aws-sdk
* Add deprecation notice to README Addresses new projects, existing projects, issues, and PRs.
"key" is a reserved keyword in MariaDB, so the SQL statement fails. Surrounding the keyword in backticks fixes the error.
This cause to erease previous image when the id change to above
`999_999_999`, for example:
```
2.3.6 :010 > id
=> 1000602578
2.3.6 :011 > ("%09d".freeze % id).scan(/\d{3}/).join("/".freeze)
=> "100/060/257"
```
Since the support version is Ruby 2.0 or later, magic comment is unnecessary. > The UTF-8 default encoding, which make many magic comments omissible https://www.ruby-lang.org/en/news/2013/02/24/ruby-2-0-0-p0-is-released/
e.g., the way google stores its user profile photos (from their oauth2 API) https://lh3.googleusercontent.com/-aRHQV4YjnBM/AAAAAAAAAAI/AAAAAAAAAAo/ngSjy9-yR5c/photo.jpg
Encountered an issue where the URI was returning header with content-disposition where the filename value wasn't enclosed in the double quotes. Turns out that this is a valid grammar according to RFC6266. Also made the logic more robust to account for spaces and uppercase letters.
This validation was causing issue when there is no content_type column in the database, as the content type of the attachment would be empty. There should be no need to check attachment's validity because this `#reprocess!` method is running internally on the server. Fix thoughtbot#2078
While using the Paperclip gem, we noticed during some ad-hoc testing that if you do not supply an extension when uploading a file, Paperclip effectively skipped it's spoofing check, which allowed potentially dangerous files to slip through into your application. This addresses that by moving the checks around a little bit and only testing against the extension when there is one.
As described in thoughtbot#2118, `OpenURI::Meta#content_type` will return `application/octet-stream` when no `content-type` header is set. Using the original `meta` fixes this issue.
# Conflicts: # lib/paperclip/upfile.rb
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a patch that addresses this problem: https://robots.thoughtbot.com/paperclip-security-release
The description is the following:
The patch was inspired by the commit to a recent versions: thoughtbot@9aee411