Skip to content
Browse files
  • Loading branch information
Jon Yurek committed Jan 31, 2014
1 parent c132f6c commit 312126a0a6825dcd24d736e68c08c95d74ed9458
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 1 deletion.
@@ -1,3 +1,11 @@
New in 4.0.0:

* Security: Attachments are checked to make sure they're not pulling a fast one.
* Security: It is now *enforced* that every attachment has a file/mime validation.
* Bug Fix: Removed a call to IOAdapter#close that was causing issues.
* Improvement: Added bullets to the 3.5.3 list of changes. Very important.
* Improcement: Updated the copyright to 2014

New in 3.5.3:

* Improvement: After three long, hard years... we know how to upgrade
@@ -104,6 +104,7 @@ Quick Start
class User < ActiveRecord::Base
attr_accessible :avatar
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/

@@ -112,6 +113,7 @@ end
class User < ActiveRecord::Base
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }, :default_url => "/images/:style/missing.png"
validates_attachment_content_type :avatar, :content_type => /\Aimage\/.*\Z/

@@ -302,6 +304,38 @@ validates_attachment :avatar,
`Paperclip::ContentTypeDetector` will attempt to match a file's extension to an
inferred content_type, regardless of the actual contents of the file.

Security Validations

NOTE: Starting at version 4.0.0, all attachments are *required* to include a
content_type validation, a file_name validation, or to explicitly state that
they're not going to have either. *Paperclip will raise an error* if you do not
do this.

class ActiveRecord::Base
has_attached_file :avatar
# Validate content type
validates_attachment_content_type :avatar, :content_type => /\Aimage/
# Validate filename
validates_attachment_file_name :avatar, :matches => [/png\Z/, /jpe?g\Z/]
# Explicitly do not validate
do_not_validate_attachment_file_type :avatar

This keeps Paperclip secure-by-default, and will prevent people trying to mess
with your filesystem.

NOTE: Also starting at version 4.0.0, Paperclip has another validation that
cannot be turned off. This validation will prevent content type spoofing. That
is, uploading, say, a PHP document as part of the EXIF tags of a well-formed
JPEG. This check is limited to the media type (the first part of the MIME type,
so, 'text' in 'text/plain'). This will prevent HTML documents from being
uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg
extension. This validation will only add validation errors to the form. It will
not cause Errors to be raised.

Global defaults for all your paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash, this can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file definition.
@@ -1,3 +1,3 @@
module Paperclip
VERSION = "3.5.3" unless defined? Paperclip::VERSION
VERSION = "4.0.0" unless defined? Paperclip::VERSION

0 comments on commit 312126a

Please sign in to comment.