Skip to content
Permalink
Browse files

v4.0.0

  • Loading branch information
Jon Yurek
Jon Yurek committed Jan 31, 2014
1 parent c132f6c commit 312126a0a6825dcd24d736e68c08c95d74ed9458
Showing with 43 additions and 1 deletion.
  1. +8 −0 NEWS
  2. +34 −0 README.md
  3. +1 −1 lib/paperclip/version.rb
8 NEWS
@@ -1,3 +1,11 @@
New in 4.0.0:

* Security: Attachments are checked to make sure they're not pulling a fast one.
* Security: It is now *enforced* that every attachment has a file/mime validation.
* Bug Fix: Removed a call to IOAdapter#close that was causing issues.
* Improvement: Added bullets to the 3.5.3 list of changes. Very important.
* Improcement: Updated the copyright to 2014

New in 3.5.3:

* Improvement: After three long, hard years... we know how to upgrade
@@ -104,6 +104,7 @@ Quick Start
class User < ActiveRecord::Base
attr_accessible :avatar
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
end
```

@@ -112,6 +113,7 @@ end
```ruby
class User < ActiveRecord::Base
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
end
```

@@ -302,6 +304,38 @@ validates_attachment :avatar,
`Paperclip::ContentTypeDetector` will attempt to match a file's extension to an
inferred content_type, regardless of the actual contents of the file.

Security Validations
====================

NOTE: Starting at version 4.0.0, all attachments are *required* to include a
content_type validation, a file_name validation, or to explicitly state that
they're not going to have either. *Paperclip will raise an error* if you do not
do this.

```ruby
class ActiveRecord::Base
has_attached_file :avatar
# Validate content type
validates_attachment_content_type :avatar, :content_type => /\Aimage/
# Validate filename
validates_attachment_file_name :avatar, :matches => [/png\Z/, /jpe?g\Z/]
# Explicitly do not validate
do_not_validate_attachment_file_type :avatar
end
```

This keeps Paperclip secure-by-default, and will prevent people trying to mess
with your filesystem.

NOTE: Also starting at version 4.0.0, Paperclip has another validation that
cannot be turned off. This validation will prevent content type spoofing. That
is, uploading, say, a PHP document as part of the EXIF tags of a well-formed
JPEG. This check is limited to the media type (the first part of the MIME type,
so, 'text' in 'text/plain'). This will prevent HTML documents from being
uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg
extension. This validation will only add validation errors to the form. It will
not cause Errors to be raised.

Defaults
--------
Global defaults for all your paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash, this can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file definition.
@@ -1,3 +1,3 @@
module Paperclip
VERSION = "3.5.3" unless defined? Paperclip::VERSION
VERSION = "4.0.0" unless defined? Paperclip::VERSION
end

0 comments on commit 312126a

Please sign in to comment.
You can’t perform that action at this time.