All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
- Fix Content-Type allowlist bypass vulnerability remained (@mshibuya 4317871, GHSA-vfmv-jfc5-pjjw)
- Fix Content-Type allowlist bypass vulnerability, possibly leading to XSS (@mshibuya 39b282d, GHSA-gxhx-g4fq-49hj)
- Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@mshibuya c74579d, #2628)
- Add workaround for the API change in ssrf_filter 1.1 (@BrianHawley #2629, #2625)
- Fix
no implicit conversion of CSV into Stringerror when parsing a CSV object (@pjmartorell #2562, #2559)
- Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@mshibuya 42c620a1, #2532)
- libvips support through ImageProcessing::Vips and ruby-vips (@rhymes #2500, e8421978, 4ae8dc64)
- Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@grantbdev #2442, 4c3cac75, #2491)
- Support for the latest version of RMagick (@mshibuya 88f24451)
#(content_type|extension)_whitelist,#(content_type|extension)_blacklistare deprecated. Use#(content_type|extension)_allowlistand#(content_type|extension)_denylistinstead (@grantbdev #2442, 4c3cac75)
- Calculate Fog expiration taking DST into account (@mshibuya, f90e14ca, #2059)
- Set correct content type on copy of fog files (@ZuevEvgenii #2503, 6682f7ac, #2487)
- Fix fog-google support to pass acl_header for public read if fog is public (@yosiat #2525, #2426)
- Fix various URL escape issues by escaping on URI parse error only (@mshibuya 3faf7491, #2457, #2473)
- Fix instance variables
@versions_to_*not initialized warning (@mshibuya c10b82ed, #2493) - Fix
SanitizedFile#move_towrongly detects content_type based on the path before move (@mshibuya a42e1b4c, #2495) - Fix returning invalid content type on text files (@inkstak #2474, #2424)
- Skip content type and extension filters where possible (@alexpooley #2464)
- Fix file's
#urlbeing called twice, which might be costly for non-local files (@skyeagle #2519) - Fix mime type detection failing with types which contain
+symbol, such asimage/svg+xml(@sylvainbx #2489) - Fix
#cached?to return boolean instead of@cache_idvalue (@kmiyake #2510) - Fix mime type detection for MS Office files (@anthonypenner #2447)
- Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 387116f5, GHSA-cf3w-g86h-35x4)
- Fix SSRF vulnerability in the remote file download feature (@mshibuya 012702eb, GHSA-fwcm-636p-68r5)
- Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 15bcf8d8, GHSA-cf3w-g86h-35x4)
- Fix SSRF vulnerability in the remote file download feature (@mshibuya e0f79e36, GHSA-fwcm-636p-68r5)
- Support authenticated_url for Blackblaze provider(@kevivmatrix #2444)
- Fix Ruby 2.7 deprecations(@mshibuya 9a37fc9e)
- Fix S3 path-style URL for host with dots for buckets that are placed in other regions than us-east-1(@Bonias #2439)
- Make MiniMagick::Image constant absolute to prevent misleading 'uninitialized constant' error(@p8 #2437)
- Fix
#{column}_cacheunintentionally removing files on assigning empty string(@mshibuya 22e8005e, #2412)
No changes.
- Append, reorder, and remove-single-file feature for multiple file uploader(@mshibuya #2401)
- Allow retrieval of uploader index within uploaders(@mshibuya #1771)
- Add ability to customize downloaders(@mshibuya #1636)
- Support internationalized domain names for downloader(@mshibuya #2086)
- Support authenticated_url for Aliyun provider(@Nitrino #2381)
- Support passing options to authenticated_url for OpenStack provider(@stanhu #2377)
- Support authenticated_url for AzureRM provider(@Nitrino #2375)
- Allow custom expires_at when building an authenticated_url(@stephankaag #2397)
- [BREAKING CHANGE] Use the storage given by
storageconfiguration also forcache_storageunless explicitly specified(@mshibuya 629afecb) - Improve Fog initialization(@mshibuya #2395)
- [BREAKING CHANGE] Multiple file uploader now keeps successful files on update, only discarding failed ones(@mshibuya 7db9195d)
- [BREAKING CHANGE]
#remote_#{column}_urls=was changed to preserve precedent updates(@mshibuya 8f18a95b) #serializable_hashnow returns string for version keys(@schovi #2246)- Use the MimeMagic gem to inspect file headers for the mime type. This allows for mitigation of CVE-2016-3714, in combination with a
content_type_whitelist(@locriani #1934) - Replace mime-types dependency with mini_mime to save memory(@bradleypriest #2292)
- Delegate MiniMagick processing to ImageProcessing gem(@janko #2298)
- Handle ActiveRecord transaction correctly, not storing or removing files on rollback(@skosh #2209)
fog_providerconfiguration was deprecated and has no effect, just adding fog providers toGemfilewill load them(@mshibuya ca201ee2)CarrierWave::Uploader::Base#sanitized_filewas deprecated, use#fileinstead(@mshibuya 28190e99)
- Remove support for Rails 4.x and Ruby 2.0/2.1 (@mshibuya bada043f)
- Fix deleting files twice when marked for removal(@mshibuya 67800fde)
- Fix
uploader.cache!loads entire contents of file into memory(@mshibuya #2136) - Do not trigger *_will_change! when file is not to be removed(@mshibuya #2323)
- Allow deleting all files for multiple file upload(@mshibuya #1990)
- Failing to retrieve unquoted filenames from Content-Disposition(@mshibuya #2364)
- Fix
#clean_cache!breaking with old format of cache id(@mshibuya aab402fb) - Fix
#exists?returning true after Fog file deletion(@mshibuya #2387) - Make
#identifieravailable for a retrieved file(@mshibuya #1581) - Make cache id generation less predictable(@mshibuya #2326)
- Uploaders not being cleared when
#reloador#initialize_dupare overridden in model(@mshibuya #2379) - Fix
#content_typereturning false, instead of nil(@longkt90 #2384) - Preserve connection cache when eagar-loading fog(@dmitryshagin #2383)
#recreate_versions!ignored:from_versionwhen versions to recreate are given(@hedgesky #1879 #1164)
Please check 1.x-stable for previous changes.