Commit a2f46a82 by Bart de Water

Add changelog entry for 5c96b4c and a test for desired logging behaviour to prevent regressions.

Excessive logging can fill up disk space and become a denial of service attack, see https://cwe.mitre.org/data/definitions/779.html
parent 2c59f96f
...@@ -12,6 +12,7 @@ master: ...@@ -12,6 +12,7 @@ master:
5.0.0.beta1 (2015-03-13): 5.0.0.beta1 (2015-03-13):
* Bug Fix: megabytes of mime-types info in logs when a spoofed media type is detected.
* Drop support to end-of-life'd ruby 2.0. * Drop support to end-of-life'd ruby 2.0.
* Drop support for end-of-life'd Rails 3.2 and 4.1 * Drop support for end-of-life'd Rails 3.2 and 4.1
* Drop support for AWS v1 * Drop support for AWS v1
......
...@@ -44,9 +44,18 @@ describe Paperclip::MediaTypeSpoofDetector do ...@@ -44,9 +44,18 @@ describe Paperclip::MediaTypeSpoofDetector do
end end
end end
it "rejects a file if named .html and is as HTML, but we're told JPG" do context "file named .html and is as HTML, but we're told JPG" do
file = File.open(fixture_file("empty.html")) let(:file) { File.open(fixture_file("empty.html")) }
assert Paperclip::MediaTypeSpoofDetector.using(file, "empty.html", "image/jpg").spoofed? let(:spoofed?) { Paperclip::MediaTypeSpoofDetector.using(file, "empty.html", "image/jpg").spoofed? }
it "rejects the file" do
assert spoofed?
end
it "logs info about the detected spoof" do
Paperclip.expects(:log).with('Content Type Spoof: Filename empty.html (image/jpg from Headers, ["text/html"] from Extension), content type discovered from file command: text/html. See documentation to allow this combination.')
spoofed?
end
end end
it "does not reject if content_type is empty but otherwise checks out" do it "does not reject if content_type is empty but otherwise checks out" do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment