Don't spoof-check files with no extensions

There's nothing they can be spoofing, and there's little danger of a webserver accidentally sending a dangerous Content-Type with a file that has no extension. If the browser chooses to interpret it in a dangerous manner, no server-side library on earth can change that. This isn't specifically related to RSpec, but is built off the branch and is part of an effort to get the CI build green.

Don't spoof-check files with no extensions
There's nothing they can be spoofing, and there's little danger of a webserver accidentally sending a dangerous Content-Type with a file that has no extension. If the browser chooses to interpret it in a dangerous manner, no server-side library on earth can change that. This isn't specifically related to RSpec, but is built off the branch and is part of an effort to get the CI build green.
263a4981 · Jon Yurek · 743e2e00 · 263a4981 · 263a4981 · 263a4981
Commit 263a4981 authored Mar 11, 2014 by Jon Yurek
10 changed files
--- a/lib/paperclip/interpolations.rb
+++ b/lib/paperclip/interpolations.rb
@@ -101,6 +101,14 @@ module Paperclip
        File.extname(attachment.original_filename).gsub(/\A\.+/, "")
    end
+    # Returns the dot+extension of the file. e.g. ".jpg" for "file.jpg"
+    # If the style has a format defined, it will return the format instead
+    # of the actual extension. If the extension is empty, no dot is added.
+    def dotextension attachment, style_name
+      ext = extension(attachment, style_name)
+      ext.empty? ? "" : ".#{ext}"
+    end
    # Returns an extension based on the content type. e.g. "jpeg" for
    # "image/jpeg". If the style has a specified format, it will override the
    # content-type detection.

--- a/lib/paperclip/io_adapters/stringio_adapter.rb
+++ b/lib/paperclip/io_adapters/stringio_adapter.rb
@@ -13,7 +13,7 @@ module Paperclip
    def cache_current_values
      @content_type = ContentTypeDetector.new(@tempfile.path).detect
      original_filename = @target.original_filename if @target.respond_to?(:original_filename)
-      original_filename ||= "data.#{extension_for(@content_type)}"
+      original_filename ||= "data"
      self.original_filename = original_filename.strip
      @size = @target.size
    end
@@ -26,11 +26,6 @@ module Paperclip
      destination
    end
-    def extension_for(content_type)
-      type = MIME::Types[content_type].first
-      type && type.extensions.first
-    end
  end
 end

--- a/lib/paperclip/media_type_spoof_detector.rb
+++ b/lib/paperclip/media_type_spoof_detector.rb
@@ -10,7 +10,7 @@ module Paperclip
    end
    def spoofed?
-      if @name.present? && media_type_mismatch? && mapping_override_mismatch?
+      if has_name? && has_extension? && media_type_mismatch? && mapping_override_mismatch?
        Paperclip.log("Content Type Spoof: Filename #{File.basename(@name)} (#{supplied_file_content_types}), content type discovered from file command: #{calculated_content_type}. See documentation to allow this combination.")
        true
      end
@@ -18,6 +18,14 @@ module Paperclip
    private
+    def has_name?
+      @name.present?
+    end
+    def has_extension?
+      File.extname(@name).present?
+    end
    def media_type_mismatch?
      ! supplied_file_media_types.include?(calculated_media_type)
    end

--- a/spec/paperclip/attachment_spec.rb
+++ b/spec/paperclip/attachment_spec.rb
@@ -337,7 +337,11 @@ describe Paperclip::Attachment do
  context "An attachment with :hash interpolations" do
    before do
-      @file = StringIO.new("...\n")
+      @file = File.open(fixture_file("5k.png"))
+    end
+    after do
+      @file.close
    end
    it "raises if no secret is provided" do
@@ -360,15 +364,15 @@ describe Paperclip::Attachment do
      end
      it "results in the correct interpolation" do
-        assert_equal "dummies/avatars/original/data.txt",
+        assert_equal "dummies/avatars/original/5k.png",
          @attachment.send(:interpolate, @attachment.options[:hash_data])
-        assert_equal "dummies/avatars/thumb/data.txt",
+        assert_equal "dummies/avatars/thumb/5k.png",
          @attachment.send(:interpolate, @attachment.options[:hash_data], :thumb)
      end
      it "results in a correct hash" do
-        assert_equal "e1079a5c34ddbd197ebd0280d07952d98a57fb30", @attachment.path
+        assert_equal "0a59e9142bba11576de1d353d8747b1acad5ad34", @attachment.path
-        assert_equal "d740189bd3e49ef226fab84c8d45f7ae4126d043", @attachment.path(:thumb)
+        assert_equal "b39a062c1e62e85a6c785ed00cf3bebf5f850e2b", @attachment.path(:thumb)
      end
    end
  end

--- a/spec/paperclip/interpolations_spec.rb
+++ b/spec/paperclip/interpolations_spec.rb
@@ -71,6 +71,20 @@ describe Paperclip::Interpolations do
    assert_equal "jpe", interpolations.content_type_extension(attachment, :style)
  end
+  it "returns the extension of the file with a dot" do
+    attachment = mock
+    attachment.expects(:original_filename).returns("one.jpg")
+    attachment.expects(:styles).returns({})
+    assert_equal ".jpg", Paperclip::Interpolations.dotextension(attachment, :style)
+  end
+  it "returns the extension of the file without a dot if the extension is empty" do
+    attachment = mock
+    attachment.expects(:original_filename).returns("one")
+    attachment.expects(:styles).returns({})
+    assert_equal "", Paperclip::Interpolations.dotextension(attachment, :style)
+  end
  it "returns the latter half of the content type of the extension if no match found" do
    attachment = mock
    attachment.expects(:content_type).at_least_once().returns('not/found')

--- a/spec/paperclip/io_adapters/data_uri_adapter_spec.rb
+++ b/spec/paperclip/io_adapters/data_uri_adapter_spec.rb
@@ -18,8 +18,8 @@ describe Paperclip::DataUriAdapter do
      @subject = Paperclip.io_adapters.for(@contents)
    end
-    it "returns a file name based on the content type" do
+    it "returns a nondescript file name" do
-      assert_equal "data.png", @subject.original_filename
+      assert_equal "data", @subject.original_filename
    end
    it "returns a content type" do

--- a/spec/paperclip/io_adapters/stringio_adapter_spec.rb
+++ b/spec/paperclip/io_adapters/stringio_adapter_spec.rb
@@ -9,7 +9,7 @@ describe Paperclip::StringioAdapter do
    end
    it "returns a file name" do
-      assert_equal "data.txt", @subject.original_filename
+      assert_equal "data", @subject.original_filename
    end
    it "returns a content type" do

--- a/spec/paperclip/media_type_spoof_detector_spec.rb
+++ b/spec/paperclip/media_type_spoof_detector_spec.rb
@@ -21,6 +21,11 @@ describe Paperclip::MediaTypeSpoofDetector do
    assert ! Paperclip::MediaTypeSpoofDetector.using(file, "").spoofed?
  end
+  it 'does not reject a file that does have an extension' do
+    file = File.open(fixture_file("empty.html"))
+    assert ! Paperclip::MediaTypeSpoofDetector.using(file, "data").spoofed?
+  end
  it 'does not reject when the supplied file is an IOAdapter' do
    adapter = Paperclip.io_adapters.for(File.new(fixture_file("5k.png")))
    assert ! Paperclip::MediaTypeSpoofDetector.using(adapter, adapter.original_filename).spoofed?

--- a/spec/paperclip/storage/fog_spec.rb
+++ b/spec/paperclip/storage/fog_spec.rb
@@ -130,7 +130,7 @@ describe Paperclip::Storage::Fog do
        fog_credentials: @credentials,
        fog_host: nil,
        fog_file: {cache_control: 1234},
-        path: ":attachment/:basename.:extension",
+        path: ":attachment/:basename:dotextension",
        storage: :fog
      }
@@ -227,7 +227,7 @@ describe Paperclip::Storage::Fog do
        end
        it "provides a public url" do
-          assert @dummy.avatar.url =~ /^http:\/\/example\.com\/avatars\/data\.txt\?\d*$/
+          expect(@dummy.avatar.url).to match(/^http:\/\/example\.com\/avatars\/data\?\d*$/)
        end
      end
@@ -237,7 +237,7 @@ describe Paperclip::Storage::Fog do
            fog_directory: @fog_directory,
            fog_credentials: @credentials,
            fog_host: 'http://img%d.example.com',
-            path: ":attachment/:basename.:extension",
+            path: ":attachment/:basename:dotextension",
            storage: :fog
          )
          @dummy = Dummy.new
@@ -246,7 +246,7 @@ describe Paperclip::Storage::Fog do
        end
        it "provides a public url" do
-          assert @dummy.avatar.url =~ /^http:\/\/img[0123]\.example\.com\/avatars\/data\.txt\?\d*$/
+          expect(@dummy.avatar.url).to match(/^http:\/\/img[0123]\.example\.com\/avatars\/data\?\d*$/)
        end
      end

--- a/spec/paperclip/storage/s3_spec.rb
+++ b/spec/paperclip/storage/s3_spec.rb