Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade carrierwave to mitigate CVE-2016-3714 #2577

Closed
alexmuller opened this issue May 4, 2016 · 3 comments
Closed

Upgrade carrierwave to mitigate CVE-2016-3714 #2577

alexmuller opened this issue May 4, 2016 · 3 comments

Comments

@alexmuller
Copy link
Contributor

alexmuller commented May 4, 2016
edited by boffbowsh
Loading

carrierwaveuploader/carrierwave#1933 indicates that there's a vulnerability in the way we handle uploads. When a fix is available we need to upgrade carrierwave.
@boffbowsh
Copy link
Contributor

What's different about this that's not mitigated by setting a policy.xml for imagemagick?

@alexmuller
Copy link
Contributor Author

The policy.xml will restrict what ImageMagick is able to do but there's an underlying problem in that we were able to get the exploit through whitehall by simply changing the file extension from mvg to jpg. I think that's what the linked issue is referring to - carrierwave should be more robust when checking what kind of file is being uploaded, and we should blacklist things that don't match image formats we accept.

@floehopper floehopper mentioned this issue Jul 12, 2017
Open
@floehopper floehopper mentioned this issue Sep 26, 2017
Merged
@floehopper
Copy link
Contributor

This might've been fixed in #3273.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@floehopper @boffbowsh @alexmuller @rubenarakelyan