No uri adapters #2435
No uri adapters #2435
Conversation
| @@ -50,7 +55,7 @@ def download_content | |||
| end | |||
|
|
|||
| def copy_to_tempfile(src) | |||
| while data = src.read(16*1024) | |||
| while data = src.read(16 * 1024) | |||
There was a problem hiding this comment.
Assignment in condition - you probably meant to use ==.
| @@ -58,6 +59,16 @@ | |||
| end | |||
| end | |||
|
|
|||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | |||
| cd (".") do | |||
There was a problem hiding this comment.
(...) interpreted as grouped expression.
| @@ -58,6 +59,16 @@ | |||
| end | |||
| end | |||
|
|
|||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | |||
There was a problem hiding this comment.
Ambiguous regexp literal. Parenthesize the method arguments if it's surely a regexp literal, or add a whitespace to the right of the / if it should be a division.
| @@ -50,7 +55,7 @@ def download_content | |||
| end | |||
|
|
|||
| def copy_to_tempfile(src) | |||
| while data = src.read(16*1024) | |||
| while data = src.read(16 * 1024) | |||
There was a problem hiding this comment.
Assignment in condition - you probably meant to use ==.
| @@ -58,6 +59,16 @@ | |||
| end | |||
| end | |||
|
|
|||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | |||
| cd (".") do | |||
There was a problem hiding this comment.
(...) interpreted as grouped expression.
There was a problem hiding this comment.
It might be clearer to write this with no space between cd and (".").
| @@ -58,6 +59,16 @@ | |||
| end | |||
| end | |||
|
|
|||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | |||
There was a problem hiding this comment.
Ambiguous regexp literal. Parenthesize the method arguments if it's surely a regexp literal, or add a whitespace to the right of the / if it should be a division.
There was a problem hiding this comment.
Yeah totally -- I like the direction you took this. In the least I'm glad to have an .unregister method, but the explicit .register method is nice, too.
Also quite happy to have some of the adapters not be the default.
LGTM, but we need to get some docs on this in a future commit.
| @@ -7,5 +7,6 @@ | |||
| World(RSpec::Matchers) | |||
|
|
|||
| Before do | |||
| aruba.config.command_launcher = ENV.fetch("DEBUG", nil) ? :debug : :spawn | |||
| @@ -1,5 +1,10 @@ | |||
| module Paperclip | |||
| class DataUriAdapter < StringioAdapter | |||
| def self.register | |||
| Paperclip.io_adapters.register self do |target| | |||
| String === target && target =~ Paperclip::DataUriAdapter::REGEXP | |||
There was a problem hiding this comment.
Could this be REGEXP, without the class qualifiers, since it's in this class?
| @@ -1,15 +1,15 @@ | |||
| module Paperclip | |||
| class HttpUrlProxyAdapter < UriAdapter | |||
| def self.register | |||
| Paperclip.io_adapters.register self do |target| | |||
| String === target && target =~ Paperclip::HttpUrlProxyAdapter::REGEXP | |||
| @@ -58,6 +59,16 @@ | |||
| end | |||
| end | |||
|
|
|||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | |||
| cd (".") do | |||
There was a problem hiding this comment.
It might be clearer to write this with no space between cd and (".").
README.md
Outdated
| IO Adapters | ||
| ----------- | ||
|
|
||
| When a file is uploaded or attached, it an be in one of a few different input |
There was a problem hiding this comment.
What's documentation without some typos?
README.md
Outdated
| adding a line similar to the following into `config/initializers/paperclip.rb`: | ||
|
|
||
| ```ruby | ||
| Paperclip::DataUriAdapter.regsiter |
|
This issue has been assigned CVE-2017-0889. |
|
Any idea when this fix will be released? By making the CVE public you are making this high risk issue public without an available fix for users. |
mike-burns
force-pushed
the
jy-no-uri-adapters
branch
from
dde37e7
to
7b9bac8
Compare
| matches = @content.meta["content-disposition"]. | ||
| match(/filename="([^"]*)"/) | ||
| if @content.meta.key?("content-disposition") | ||
| matches = @content.meta["content-disposition"].match(/filename="([^"]*)"/) |
| @@ -12,6 +12,10 @@ def register(handler_class, &block) | |||
| @registered_handlers << [block, handler_class] | |||
| end | |||
|
|
|||
| def unregister(handler_class) | |||
| @registered_handlers.reject! {|_, klass| klass == handler_class } | |||
| @@ -49,6 +50,16 @@ | |||
| end | |||
| end | |||
|
|
|||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | |||
| @@ -22,6 +22,7 @@ | |||
| gem "rubysl", :platform => :rbx | |||
| """ | |||
| And I remove turbolinks | |||
| And I comment out lines that contain "action_mailer" in "config/environments/*.rb" | |||
Remove the URI adapters. Few people use them by default and they can allow insight into the internal networks of the server. If you want to enable them, add (for example) `Paperclip.DataUriAdapter.register` to your `config/initializers/paperclip.rb` file. This is related to CVE-2017-0889. Elsewhere fix CI: it's `s3.us-west-2` now, with a dot.
mike-burns
force-pushed
the
jy-no-uri-adapters
branch
from
b2e5eee
to
80847b4
Compare
|
This breaks API compatibility. Should have been a major bump. |
|
@juanibiapina What exactly does it break? (Can be helpful for other people to determine if they can upgrade or not) |
|
Now you have to manually enable the handlers, which means you need to make a code change for your application to continue working, otherwise you get That means if you correctly configured bundler to automatically upgrade minor versions, your tests will (hopefully) blow up. |
|
Like @juanibiapina said, we lost few hours to understand why ours tests failed after upgrading... |
|
|
||
| * `Paperclip::UriAdapter` - which accepts a `URI` instance. | ||
| * `Paperclip::HttpUrlProxyAdapter` - which accepts a `http` string. | ||
| * `Paperclip::DataUriAdapter` - which accepts a Base64-encoded `data:` string. |
There was a problem hiding this comment.
What is the risk with DataUriAdapter? How can we use it safely?
Remove the URI adapters. Few people use them by default and they can allow insight into the internal networks of the server. If you want to enable them, add (for example)
Paperclip.DataUriAdapter.registerto yourconfig/initializers/paperclip.rbfile.Additional note: this needs to be documented, but comments welcome as to where and how.