Added a link to Egor in the README

7084ddc6 · Jon Yurek · 312126a0 · 7084ddc6
Commit 7084ddc6 authored Feb 05, 2014 by Jon Yurek
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

README.md
+10 -6

No files found.
--- a/README.md
+++ b/README.md
@@ -307,6 +307,10 @@ inferred content_type, regardless of the actual contents of the file.
 Security Validations
 ====================
+Thanks to a report from [Egor Homakov](http://homakov.blogspot.com/) we have
+taken steps to prevent people from spoofing Content-Types and getting data
+you weren't expecting onto your server.
 NOTE: Starting at version 4.0.0, all attachments are *required* to include a
 content_type validation, a file_name validation, or to explicitly state that
 they're not going to have either. *Paperclip will raise an error* if you do not
@@ -329,12 +333,12 @@ with your filesystem.
 NOTE: Also starting at version 4.0.0, Paperclip has another validation that
 cannot be turned off. This validation will prevent content type spoofing. That
-is, uploading, say, a PHP document as part of the EXIF tags of a well-formed
+is, uploading a PHP document (for example) as part of the EXIF tags of a
-JPEG. This check is limited to the media type (the first part of the MIME type,
+well-formed JPEG. This check is limited to the media type (the first part of the
-so, 'text' in 'text/plain'). This will prevent HTML documents from being
+MIME type, so, 'text' in 'text/plain'). This will prevent HTML documents from
-uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg
+being uploaded as JPEGs, but will not prevent GIFs from being uploaded with a
-extension. This validation will only add validation errors to the form. It will
+.jpg extension. This validation will only add validation errors to the form. It
-not cause Errors to be raised.
+will not cause Errors to be raised.
 Defaults
 --------