-
Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
- No changes.
- No changes.
- No changes.
-
Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.
George Claghorn
-
The Poppler PDF previewer renders a preview image using the original document's crop box rather than its media box, hiding print margins. This matches the behavior of the MuPDF previewer.
Vincent Robert
- No changes.
- No changes.
- No changes.
- [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload
- No changes.
- No changes.
- No changes.
- No changes.
- No changes.
-
Support multiple submit buttons in Active Storage forms.
Chrıs Seelus
-
Fix
ArgumentError
when uploading to amazon s3Hiroki Sanpei
-
Add a foreign-key constraint to the
active_storage_attachments
table for blobs.George Claghorn
-
Discard
ActiveStorage::PurgeJobs
for missing blobs.George Claghorn
-
Fix uploading Tempfiles to Azure Storage.
George Claghorn
-
Prevent content type and disposition bypass in storage service URLs.
Fix CVE-2018-16477.
Rosa Gutierrez
-
Fix direct upload with zero-byte files.
George Claghorn
-
Exclude JSON root from
active_storage/direct_uploads#create
response.Javan Makhmali
-
Allow full use of the AWS S3 SDK options for authentication. If an explicit AWS key pair and/or region is not provided in
storage.yml
, attempt to use environment variables, shared credentials, or IAM (instance or task) role credentials. Order of precedence is determined by the AWS SDK.Brian Knight
-
Remove path config option from Azure service.
The Active Storage service for Azure Storage has an option called
path
that is ambiguous in meaning. It needs to be set to the primary blob storage endpoint but that can be determined from the blobs client anyway.To simplify the configuration, we've removed the
path
option and now get the endpoint from the blobs client instead.Closes #32225.
Andrew White
-
Generate root-relative paths in disk service URL methods.
Obviate the disk service's
:host
configuration option.George Claghorn
-
Add source code to published npm package.
This allows activestorage users to depend on the javascript source code rather than the compiled code, which can produce smaller javascript bundles.
Richard Macklin
-
Preserve display aspect ratio when extracting width and height from videos with rectangular samples in
ActiveStorage::Analyzer::VideoAnalyzer
.When a video contains a display aspect ratio, emit it in metadata as
:display_aspect_ratio
rather than the ambiguous:aspect_ratio
. Compute its height by scaling its encoded frame width according to the DAR.George Claghorn
-
Use
after_destroy_commit
instead ofbefore_destroy
for purging attachments when a record is destroyed.Hiroki Zenigami
-
Force
:attachment
disposition for specific, configurable content types. This mitigates possible security issues such as XSS or phishing when serving them inline. A list of such content types is included by default, and can be configured viacontent_types_to_serve_as_binary
.Rosa Gutierrez
-
Fix the gem adding the migrations files to the package.
Yuji Yaginuma
-
Added to Rails.
DHH