Adds a 'validate_media_type' option, default: true

Many people have complained that the Media Type Spoof Detection does not work properly for their files. While whitelisting is available for some files, it's not a general solution. This option leaves the "secure by default" of the media checker in place, but allows people to turn it off completely if they so choose.

Adds a 'validate_media_type' option, default: true
Many people have complained that the Media Type Spoof Detection does not work properly for their files. While whitelisting is available for some files, it's not a general solution. This option leaves the "secure by default" of the media checker in place, but allows people to turn it off completely if they so choose.
981fb513 · Jon Yurek and Nathan Walls · Jon Yurek · 3ec2599d · 981fb513 · 981fb513
Commit 981fb513 authored Oct 24, 2014 by Jon Yurek and Nathan Walls Committed by Jon Yurek Oct 24, 2014
5 changed files
--- a/lib/paperclip/attachment.rb
+++ b/lib/paperclip/attachment.rb
@@ -31,6 +31,7 @@ module Paperclip
        :use_default_time_zone => true,
        :use_timestamp         => true,
        :whiny                 => Paperclip.options[:whiny] || Paperclip.options[:whiny_thumbnails],
+        :media_check           => true,
        :check_validity_before_processing => true
      }
    end

--- a/lib/paperclip/has_attached_file.rb
+++ b/lib/paperclip/has_attached_file.rb
@@ -79,10 +79,12 @@ module Paperclip
    end
    def add_required_validations
+      if @options[:validate_media_type] != false
        name = @name
        @klass.validates_media_type_spoof_detection name,
          :if => ->(instance){ instance.send(name).dirty? }
      end
+    end
    def add_active_record_callbacks
      name = @name

--- a/spec/paperclip/has_attached_file_spec.rb
+++ b/spec/paperclip/has_attached_file_spec.rb
@@ -41,6 +41,14 @@ describe Paperclip::HasAttachedFile do
    it 'defines the Paperclip-specific callbacks' do
      assert_adding_attachment('avatar').defines_callback('define_paperclip_callbacks')
    end
+    it 'does not define a media_type check if told not to' do
+      assert_adding_attachment('avatar').does_not_set_up_media_type_check_validation
+    end
+    it 'does define a media_type check if told to' do
+      assert_adding_attachment('avatar').sets_up_media_type_check_validation
+    end
  end
  private
@@ -99,6 +107,22 @@ describe Paperclip::HasAttachedFile do
      expect(a_class).to have_received(callback_name.to_sym)
    end
+    def does_not_set_up_media_type_check_validation
+      a_class = stub_class
+      Paperclip::HasAttachedFile.define_on(a_class, @attachment_name, { validate_media_type: false })
+      expect(a_class).to have_received(:validates_media_type_spoof_detection).never
+    end
+    def sets_up_media_type_check_validation
+      a_class = stub_class
+      Paperclip::HasAttachedFile.define_on(a_class, @attachment_name, { validate_media_type: true })
+      expect(a_class).to have_received(:validates_media_type_spoof_detection)
+    end
    private
    def stub_class

--- a/spec/paperclip/meta_class_spec.rb
+++ b/spec/paperclip/meta_class_spec.rb
@@ -4,7 +4,7 @@ describe 'Metaclasses' do
  context "A meta-class of dummy" do
    if active_support_version >= "4.1" || ruby_version < "2.1"
      before do
-        rebuild_model("Dummy")
+        rebuild_model
        reset_class("Dummy")
      end

--- a/spec/paperclip/validators/media_type_spoof_detection_validator_spec.rb
+++ b/spec/paperclip/validators/media_type_spoof_detection_validator_spec.rb
@@ -16,6 +16,11 @@ describe Paperclip::Validators::MediaTypeSpoofDetectionValidator do
    assert Dummy.validators_on(:avatar).any?{ |validator| validator.kind == :media_type_spoof_detection }
  end
+  it "is not on the attachment when explicitly rejected" do
+    rebuild_model validate_media_type: false
+    assert Dummy.validators_on(:avatar).none?{ |validator| validator.kind == :media_type_spoof_detection }
+  end
  it "returns default error message for spoofed media type" do
    build_validator
    file = File.new(fixture_file("5k.png"), "rb")