Commit 312126a0 by Jon Yurek

v4.0.0

parent c132f6c7
New in 4.0.0:
* Security: Attachments are checked to make sure they're not pulling a fast one.
* Security: It is now *enforced* that every attachment has a file/mime validation.
* Bug Fix: Removed a call to IOAdapter#close that was causing issues.
* Improvement: Added bullets to the 3.5.3 list of changes. Very important.
* Improcement: Updated the copyright to 2014
New in 3.5.3: New in 3.5.3:
* Improvement: After three long, hard years... we know how to upgrade * Improvement: After three long, hard years... we know how to upgrade
......
...@@ -104,6 +104,7 @@ Quick Start ...@@ -104,6 +104,7 @@ Quick Start
class User < ActiveRecord::Base class User < ActiveRecord::Base
attr_accessible :avatar attr_accessible :avatar
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png" has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
end end
``` ```
...@@ -112,6 +113,7 @@ end ...@@ -112,6 +113,7 @@ end
```ruby ```ruby
class User < ActiveRecord::Base class User < ActiveRecord::Base
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png" has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
end end
``` ```
...@@ -302,6 +304,38 @@ validates_attachment :avatar, ...@@ -302,6 +304,38 @@ validates_attachment :avatar,
`Paperclip::ContentTypeDetector` will attempt to match a file's extension to an `Paperclip::ContentTypeDetector` will attempt to match a file's extension to an
inferred content_type, regardless of the actual contents of the file. inferred content_type, regardless of the actual contents of the file.
Security Validations
====================
NOTE: Starting at version 4.0.0, all attachments are *required* to include a
content_type validation, a file_name validation, or to explicitly state that
they're not going to have either. *Paperclip will raise an error* if you do not
do this.
```ruby
class ActiveRecord::Base
has_attached_file :avatar
# Validate content type
validates_attachment_content_type :avatar, :content_type => /\Aimage/
# Validate filename
validates_attachment_file_name :avatar, :matches => [/png\Z/, /jpe?g\Z/]
# Explicitly do not validate
do_not_validate_attachment_file_type :avatar
end
```
This keeps Paperclip secure-by-default, and will prevent people trying to mess
with your filesystem.
NOTE: Also starting at version 4.0.0, Paperclip has another validation that
cannot be turned off. This validation will prevent content type spoofing. That
is, uploading, say, a PHP document as part of the EXIF tags of a well-formed
JPEG. This check is limited to the media type (the first part of the MIME type,
so, 'text' in 'text/plain'). This will prevent HTML documents from being
uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg
extension. This validation will only add validation errors to the form. It will
not cause Errors to be raised.
Defaults Defaults
-------- --------
Global defaults for all your paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash, this can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file definition. Global defaults for all your paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash, this can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file definition.
......
module Paperclip module Paperclip
VERSION = "3.5.3" unless defined? Paperclip::VERSION VERSION = "4.0.0" unless defined? Paperclip::VERSION
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment