Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not allow file type spoofing if the header bytes are not recognized #1942

Merged
merged 1 commit into from Apr 30, 2019
Merged

Do not allow file type spoofing if the header bytes are not recognized #1942

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/carrierwave/sanitized_file.rb
View file
Open in desktop
Expand Up @@ -315,7 +315,7 @@ def existing_content_type
end

def mime_magic_content_type
MimeMagic.by_magic(File.open(path)).try(:type) if path
MimeMagic.by_magic(File.open(path)).try(:type) || 'invalid/invalid' if path
rescue Errno::ENOENT
nil
end
Expand Down
4 changes: 4 additions & 0 deletions spec/fixtures/spoof.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
11 changes: 11 additions & 0 deletions spec/sanitized_file_spec.rb
View file
Open in desktop
Expand Up @@ -207,6 +207,17 @@
sanitized_file.content_type.should == 'image/jpeg'
end

it 'does not allow spoofing of the mime type if the mime type is not detectable' do
file = File.open(file_path('spoof.png'))

sanitized_file = CarrierWave::SanitizedFile.new(file)

lambda { sanitized_file.content_type }.should_not raise_error

sanitized_file.content_type.should_not == 'image/png'
sanitized_file.content_type.should == 'invalid/invalid'
end

it 'does not raise an error if the path is not present' do
sanitized_file = CarrierWave::SanitizedFile.new(nil)

Expand Down
1 change: 1 addition & 0 deletions spec/spec_helper.rb
View file
Open in desktop
Expand Up @@ -90,6 +90,7 @@ def stub_stringio(filename, mime_type=nil, fake_name=nil)

def stub_file(filename, mime_type=nil, fake_name=nil)
f = File.open(file_path(filename))
f.stub(:content_type) { mime_type } if mime_type
return f
end
end
Expand Down
2 changes: 2 additions & 0 deletions spec/storage/fog_helper.rb
View file
Open in desktop
Expand Up @@ -309,6 +309,7 @@ class FogSpec#{fog_credentials[:provider]}Uploader < CarrierWave::Uploader::Base
describe "with a valid path" do
before do
@file = CarrierWave::SanitizedFile.new(file_path('test.jpg'))
@file.file.stub(:content_type) { 'image/jpeg' }
@file.should_not be_empty
end

Expand All @@ -318,6 +319,7 @@ class FogSpec#{fog_credentials[:provider]}Uploader < CarrierWave::Uploader::Base
describe "with a valid Pathname" do
before do
@file = CarrierWave::SanitizedFile.new(Pathname.new(file_path('test.jpg')))
@file.file.stub(:content_type) { 'image/jpeg' }
@file.should_not be_empty
end

Expand Down
2 changes: 1 addition & 1 deletion spec/uploader/proxy_spec.rb
View file
Open in desktop
Expand Up @@ -57,7 +57,7 @@
end

it "should get the content type when the file has been cached" do
@uploader.cache!(File.open(file_path('test.jpg')))
@uploader.cache!(File.open(file_path('landscape.jpg')))
@uploader.content_type.should == 'image/jpeg'
end

Expand Down