You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been investigating some issue lately about file uploads and mimetype determination and was looking at how CarrierWave implements it, and also how other projects implement it.
I saw in the source code of CarrierWave that it primarly relies on the given content_type of the file being attached
As most files used by CarrierWave are potentially uploaded this can be an entry point for abuse, as the given content_type can be easily spoofed, as also has been mentioned here #1942 (comment).
With the recognition here #2465 (comment) as well that spoofing protection will become more important is it maybe an idea to not rely on the existing content type, and fully rely on the content type given by tools such as Marcel?
Is there any official patch/solution to this issue? I am thinking of patching sanitized file to ignore the existing content type if file is an instance of ActionDispatch::Http::UploadedFile
I have been investigating some issue lately about file uploads and mimetype determination and was looking at how CarrierWave implements it, and also how other projects implement it.
I saw in the source code of CarrierWave that it primarly relies on the given
content_type
of the file being attachedcarrierwave/lib/carrierwave/sanitized_file.rb
Lines 261 to 266 in d50d80e
As most files used by CarrierWave are potentially uploaded this can be an entry point for abuse, as the given
content_type
can be easily spoofed, as also has been mentioned here #1942 (comment).With the recognition here #2465 (comment) as well that spoofing protection will become more important is it maybe an idea to not rely on the existing content type, and fully rely on the content type given by tools such as
Marcel
?This is by the way how it is now solved in
ActiveStorage
https://github.com/rails/rails/blob/e848e8861d5c9221b77e039c2f041abced3aa577/activestorage/app/models/active_storage/blob/identifiable.rb#L21-L23The text was updated successfully, but these errors were encountered: