Update dependency on mimemagic to allow non-GPL usage of Carrierwave
#2548
Comments
|
@rofreg Same issue when building a docker file |
|
We're running into this same problem (just like everyone) |
|
Temporary solution, bump mimemagic to 0.3.6 by |
|
Wise move, @rofreg ! I tried to fork your gem and put that on my gem 'carrierwave', git: 'https://github.com/splitwise/carrierwave'And, after that, I ran the The result is the same error 😢 Your bundle is locked to mimemagic (0.3.4), but that version could not be found in any of the sources listed in your Gemfile. If you haven't changed
sources, that means the author of mimemagic (0.3.4) has removed it. You'll need to update your bundle to a version other than mimemagic (0.3.4) that
hasn't been removed in order to install.Do you know what is happening? Thanks! |
This works. Thank you! Actually it is 0.4 now so should define 0.3.6 in Gemfile. 0.4 doesn't work with current version carrierwave |
|
@Victorcorcos : it looks like you have another gem depending on mimemagic, check the Gemfile.lock; also might be wise to add a "ref" (the commit id) option to your gemfile entry for carrierwave when using a git repository as source. That way you make sure you only get the changes you need. @ducthien1490 , @duy-chk : yes 0.3.6 will "unblock" the bundle install but that means introducing a library under the GPL license, this might not be what you want. Check the description of this issue for details and related threads. @rofreg thanks for the quick solution, it works and avoids the licensing issue. |
Thank you for the fork @rofreg . What are the alternatives to mitigate ImageTragick? From reading the CVE the vulnerability sounds very serious, as it enables RCE via a user file upload. |
|
@triskweline : we probably have to look at alternative libraries to replace mimemagic, rails/marcel is currently being updated with an alternative : rails/marcel#26 , this might be worth looking into to get an ImageTragick mitigation back in. |
|
I found this article about workarounds to mitigate ImageTragick. It contains Ruby code to check file contents before handing it over to ImageMagick. I'm not sure how to integrate it into an ActiveRecord model so it runs before CarrierWave sees a file. |
|
the mimemagic gem was back to MIT but greatly changed. |
|
Rails core team is actively working on this rails/rails#41750 rails/rails#41757 so presumably a carrierwave update could follow that leverages the same alternate lib/install methods? 🙏 |
|
TEMP SOLUTION.
|
|
When will you guys release a new version of CarrierWave that uses the new version of Marcel and removes mimemagic? |
The gem
mimemagicwas previously licensed under MIT, but all existing versions were yanked this morning and replaced with new versions licensed under GPL in order to resolve a licensing issue (mimemagicrb/mimemagic#97). The Rails community is currently working to update or replace this dependency, so that Rails apps are not required to be licensed under the GPL by default (rails/rails#41750).This issue also affects Carrierwave, because Carrierwave depends on
mimemagicfor themime_magic_content_typemethod. While the Carrierwave dependency does support the new GPL-licensed versions ofmimemagic(because the dependency is not locked to a specific version), it probably makes sense to explore alternatives, as the Rails community is currently doing.—
UPDATE: We have created a fork (https://github.com/splitwise/carrierwave) that simply removes
mimemagicfrom Carrierwave.mimemagicwas used to add Carrierwave-level mitigation for CVE-2016-3714 ("ImageTragick") in 2.0.0.rc, but ImageTragick can be mitigated in other ways as well, so some applications may not need this level of protection. Removingmimemagicalso lowers the accuracy of mime type detection, relying solely on filenames to detect file type. I'm unsure whether this is the direction that maintainers would actually like to go in, but the fork may be an appropriate short-term fix for some use cases.The text was updated successfully, but these errors were encountered: