Skip to content
This repository has been archived by the owner on Jul 13, 2023. It is now read-only.

Commit

Permalink
v4.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Jon Yurek committed Jan 31, 2014
1 parent c132f6c commit 312126a
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 1 deletion.
8 changes: 8 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
New in 4.0.0:

* Security: Attachments are checked to make sure they're not pulling a fast one.
* Security: It is now *enforced* that every attachment has a file/mime validation.
* Bug Fix: Removed a call to IOAdapter#close that was causing issues.
* Improvement: Added bullets to the 3.5.3 list of changes. Very important.
* Improcement: Updated the copyright to 2014

New in 3.5.3:

* Improvement: After three long, hard years... we know how to upgrade
Expand Down
34 changes: 34 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ Quick Start
class User < ActiveRecord::Base
attr_accessible :avatar
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
end
```

Expand All @@ -112,6 +113,7 @@ end
```ruby
class User < ActiveRecord::Base
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/
end
```

Expand Down Expand Up @@ -302,6 +304,38 @@ validates_attachment :avatar,
`Paperclip::ContentTypeDetector` will attempt to match a file's extension to an
inferred content_type, regardless of the actual contents of the file.

Security Validations
====================

NOTE: Starting at version 4.0.0, all attachments are *required* to include a
content_type validation, a file_name validation, or to explicitly state that
they're not going to have either. *Paperclip will raise an error* if you do not
do this.

```ruby
class ActiveRecord::Base
has_attached_file :avatar
# Validate content type
validates_attachment_content_type :avatar, :content_type => /\Aimage/
# Validate filename
validates_attachment_file_name :avatar, :matches => [/png\Z/, /jpe?g\Z/]
# Explicitly do not validate
do_not_validate_attachment_file_type :avatar
end
```

This keeps Paperclip secure-by-default, and will prevent people trying to mess
with your filesystem.

NOTE: Also starting at version 4.0.0, Paperclip has another validation that
cannot be turned off. This validation will prevent content type spoofing. That
is, uploading, say, a PHP document as part of the EXIF tags of a well-formed
JPEG. This check is limited to the media type (the first part of the MIME type,
so, 'text' in 'text/plain'). This will prevent HTML documents from being
uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg
extension. This validation will only add validation errors to the form. It will
not cause Errors to be raised.

Defaults
--------
Global defaults for all your paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash, this can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file definition.
Expand Down
2 changes: 1 addition & 1 deletion lib/paperclip/version.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
module Paperclip
VERSION = "3.5.3" unless defined? Paperclip::VERSION
VERSION = "4.0.0" unless defined? Paperclip::VERSION
end

0 comments on commit 312126a

Please sign in to comment.