No uri adapters#2435
Conversation
|
|
||
| def copy_to_tempfile(src) | ||
| while data = src.read(16*1024) | ||
| while data = src.read(16 * 1024) |
There was a problem hiding this comment.
Assignment in condition - you probably meant to use ==.
| end | ||
|
|
||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | ||
| cd (".") do |
There was a problem hiding this comment.
(...) interpreted as grouped expression.
| end | ||
| end | ||
|
|
||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| |
There was a problem hiding this comment.
Ambiguous regexp literal. Parenthesize the method arguments if it's surely a regexp literal, or add a whitespace to the right of the / if it should be a division.
|
|
||
| def copy_to_tempfile(src) | ||
| while data = src.read(16*1024) | ||
| while data = src.read(16 * 1024) |
There was a problem hiding this comment.
Assignment in condition - you probably meant to use ==.
| end | ||
|
|
||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | ||
| cd (".") do |
There was a problem hiding this comment.
(...) interpreted as grouped expression.
There was a problem hiding this comment.
It might be clearer to write this with no space between cd and (".").
| end | ||
| end | ||
|
|
||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| |
There was a problem hiding this comment.
Ambiguous regexp literal. Parenthesize the method arguments if it's surely a regexp literal, or add a whitespace to the right of the / if it should be a division.
mike-burns
left a comment
mike-burns
left a comment
There was a problem hiding this comment.
Yeah totally -- I like the direction you took this. In the least I'm glad to have an .unregister method, but the explicit .register method is nice, too.
Also quite happy to have some of the adapters not be the default.
LGTM, but we need to get some docs on this in a future commit.
| World(RSpec::Matchers) | ||
|
|
||
| Before do | ||
| aruba.config.command_launcher = ENV.fetch("DEBUG", nil) ? :debug : :spawn |
gabebw
left a comment
gabebw
left a comment
There was a problem hiding this comment.
Some small code comments; I don't know enough to offer overarching feedback.
| class DataUriAdapter < StringioAdapter | ||
| def self.register | ||
| Paperclip.io_adapters.register self do |target| | ||
| String === target && target =~ Paperclip::DataUriAdapter::REGEXP |
There was a problem hiding this comment.
Could this be REGEXP, without the class qualifiers, since it's in this class?
| class HttpUrlProxyAdapter < UriAdapter | ||
| def self.register | ||
| Paperclip.io_adapters.register self do |target| | ||
| String === target && target =~ Paperclip::HttpUrlProxyAdapter::REGEXP |
| end | ||
|
|
||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| | ||
| cd (".") do |
There was a problem hiding this comment.
It might be clearer to write this with no space between cd and (".").
| IO Adapters | ||
| ----------- | ||
|
|
||
| When a file is uploaded or attached, it an be in one of a few different input |
There was a problem hiding this comment.
What's documentation without some typos?
| adding a line similar to the following into `config/initializers/paperclip.rb`: | ||
|
|
||
| ```ruby | ||
| Paperclip::DataUriAdapter.regsiter |
|
This issue has been assigned CVE-2017-0889. |
|
Any idea when this fix will be released? By making the CVE public you are making this high risk issue public without an available fix for users. |
mike-burns
force-pushed
the
jy-no-uri-adapters
branch
from
dde37e7 to
7b9bac8
Compare
| matches = @content.meta["content-disposition"]. | ||
| match(/filename="([^"]*)"/) | ||
| if @content.meta.key?("content-disposition") | ||
| matches = @content.meta["content-disposition"].match(/filename="([^"]*)"/) |
| end | ||
|
|
||
| def unregister(handler_class) | ||
| @registered_handlers.reject! {|_, klass| klass == handler_class } |
| end | ||
| end | ||
|
|
||
| Given /^I comment out lines that contain "([^"]+)" in "([^"]+)"$/ do |contains, glob| |
| gem "rubysl", :platform => :rbx | ||
| """ | ||
| And I remove turbolinks | ||
| And I comment out lines that contain "action_mailer" in "config/environments/*.rb" |
Remove the URI adapters. Few people use them by default and they can allow insight into the internal networks of the server. If you want to enable them, add (for example) `Paperclip.DataUriAdapter.register` to your `config/initializers/paperclip.rb` file. This is related to CVE-2017-0889. Elsewhere fix CI: it's `s3.us-west-2` now, with a dot.
mike-burns
force-pushed
the
jy-no-uri-adapters
branch
from
b2e5eee to
80847b4
Compare
|
This breaks API compatibility. Should have been a major bump. |
|
@juanibiapina What exactly does it break? (Can be helpful for other people to determine if they can upgrade or not) |
|
Now you have to manually enable the handlers, which means you need to make a code change for your application to continue working, otherwise you get That means if you correctly configured bundler to automatically upgrade minor versions, your tests will (hopefully) blow up. |
|
Like @juanibiapina said, we lost few hours to understand why ours tests failed after upgrading... |
|
|
||
| * `Paperclip::UriAdapter` - which accepts a `URI` instance. | ||
| * `Paperclip::HttpUrlProxyAdapter` - which accepts a `http` string. | ||
| * `Paperclip::DataUriAdapter` - which accepts a Base64-encoded `data:` string. |
There was a problem hiding this comment.
What is the risk with DataUriAdapter? How can we use it safely?
10 participants
Remove the URI adapters. Few people use them by default and they can allow insight into the internal networks of the server. If you want to enable them, add (for example)
Paperclip.DataUriAdapter.registerto yourconfig/initializers/paperclip.rbfile.Additional note: this needs to be documented, but comments welcome as to where and how.