New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mitigate against CVE-2016-3714 (ImageTragick) #1934
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
require 'pathname' | ||
require 'active_support/core_ext/string/multibyte' | ||
require 'mimemagic' | ||
|
||
begin | ||
# Use mime/types/columnar if available, for reduced memory usage | ||
|
@@ -264,12 +265,10 @@ def to_file | |
# [String] the content type of the file | ||
# | ||
def content_type | ||
return @content_type if @content_type | ||
if @file.respond_to?(:content_type) and @file.content_type | ||
@content_type = @file.content_type.to_s.chomp | ||
elsif path | ||
@content_type = ::MIME::Types.type_for(path).first.to_s | ||
end | ||
@content_type ||= | ||
existing_content_type || | ||
mime_magic_content_type || | ||
mime_types_content_type | ||
end | ||
|
||
## | ||
|
@@ -329,6 +328,22 @@ def sanitize(name) | |
return name.mb_chars.to_s | ||
end | ||
|
||
def existing_content_type | ||
if @file.respond_to?(:content_type) && @file.content_type | ||
@file.content_type.to_s.chomp | ||
end | ||
end | ||
|
||
def mime_magic_content_type | ||
MimeMagic.by_magic(File.open(path)).try(:type) if path | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a reason we can't use the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This also causes a file handle to be left open. When upgrading from 0.11.0 to 0.11.1, all my upload tests started to fail as I always check all files are closed https://github.com/obduk/cms/blob/master/spec/support/all/bad_tests.rb#L2 I tracked it down to this code, which as also been backported in to 0.11.1 in #1936 I don't mind fixing it, but don't want to cause collisions with lines that people are already working on? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Feel free to do it. We still don't have a proper solution. Would appreciate it very much. |
||
rescue Errno::ENOENT | ||
nil | ||
end | ||
|
||
def mime_types_content_type | ||
::MIME::Types.type_for(path).first.to_s if path | ||
end | ||
|
||
def split_extension(filename) | ||
# regular expressions to try for identifying extensions | ||
extension_matchers = [ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a typo here.
extension_type_whitelist
should be justextension_whitelist
.