Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not allow file type spoofing if the header bytes are not recognized #1942

Merged
merged 1 commit into from Apr 30, 2019
Merged

Do not allow file type spoofing if the header bytes are not recognized #1942

merged 1 commit into from Apr 30, 2019

Conversation

locriani
Copy link
Contributor

@locriani locriani commented May 7, 2016

This fixes an issue raised in #1934, where a malicious user could bypass the stricter mime-type checking by choosing header bytes that are not recognized by the mimemagic gem.

@myers
Copy link

myers commented May 11, 2016

I think you are on the right path here. One concern I have after testing 0.11.3 in my own app, is that existing_content_type trust what @file says about itself. When you are uploading a file this is an instance of ActionDispatch::Http::UploadedFile which has the content type set to a value form the browser, which shouldn't be trusted. I think content_type should only trust mime_magic_content_type.

@mshibuya mshibuya added this to the Release v2.0.0 milestone Apr 29, 2019
@mshibuya mshibuya merged commit 072e3c2 into carrierwaveuploader:0.11-stable Apr 30, 2019
@mshibuya mshibuya mentioned this pull request Sep 19, 2019
Closed
@MarcelEeken MarcelEeken mentioned this pull request May 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Release v2.0.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@locriani @myers @mshibuya