Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Paperclip CVE affects pageflow #1089

Closed
Eusebius1920 opened this issue Dec 4, 2018 · 3 comments
Closed

Paperclip CVE affects pageflow #1089

Eusebius1920 opened this issue Dec 4, 2018 · 3 comments

Comments

@Eusebius1920
Copy link

For pageflow (12.4.0) there is a explicit dependency for paperclip 4.2.4 which recently disclosed CVE-2017-0889:

thoughtbot/paperclip#2530 (comment)

Does this affect pageflow?
@tf
Copy link
Member

tf commented Dec 4, 2018

Pageflow 13 circumvents the issue by upgrading to Paperclip 6 which no longer registers the problematic HttpUrlProxyAdapter. Pageflow 13 still requires the UriAdapter, which is also disabled by default since Paperclip 5.2. But since Pageflow does not pass unvalidated Uri objects to Paperclip attachment, this should be ok.

Since no fixed 4.x version of Paperclip is available, there is no way to for Pageflow 12.x to be updated without including breaking changes of Paperclip 5. A monkeypatch to disable io adapters in Paperclip 4 can be found in this blog post

@Eusebius1920
Copy link
Author

Thank you for elaborating!

@tf
Copy link
Member

tf commented Dec 4, 2018

You are welcome. Let me know if any further questions come up that I can help with.

@tf tf closed this as completed Dec 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tf @Eusebius1920