Spoofing detection issue #1574
Comments
|
same issue here. :-( I'm using: has_attached_file :proof, styles: {
original: {geometry: "2048x2048>", format: :jpg, convert_options: "-quality 80"},
preview: {geometry: "300x300>", format: :jpg, convert_options: "-quality 70"} }
validates :proof, attachment_presence: true, attachment_size: { less_than: 7.megabyte },
attachment_content_type: {content_type: [/\Aimage\/.*\Z/, "application/pdf", "application/x-pdf"]}I get the spoof error when trying to upload a PDF: [paperclip] Content Type Spoof: Filename something.pdf (["application/pdf"]), content type discovered from file command: image/jpeg. See documentation to allow this combination. |
|
anyway, maybe a stupid questions, but shouldn't paperclip be doing any spoof detection before even converting anything? @jyurek ? |
|
Hi @gregmolnar and @mreinsch ! Is this still an issue for you in Paperclip; I know this issue is from approximately 1 year ago. If it is still an issue, can you please provide the code that's causing you the error? Thanks! |
|
this isn't fixed yet, no. I still need the following workaround: The code that I posted hasn't really changed. It's triggered when you try and upload a pdf and the pdf is converted into a jpeg (as instructed). |
|
@mreinsch I am not working on the project anymore where I had this issue and I can't remember what was my workaround. |
|
Would you be willing to send in a PR to solve the problem? Thanks! |
|
@maclover7 the patch I have is just a workaround, the actual issue looks to be quite a bit deeper. I'm not sure I'll be able to find the time to address this properly. |
|
How can we replicate this issue, in order to attempt a fix? Thanks! |
|
@tute, I've recently run into this issue. It appears to happen if class Document
has_attached_file :asset,
styles: { original: ['1920x1920>', :jpg] }
validates_attachment :asset,
content_type: { content_type: ['image/jpeg', 'image/png', 'application/pdf'] }
end
[paperclip] Content Type Spoof: Filename 1.pdf (application/pdf from Headers, ["application/pdf"] from Extension), content type discovered from file command: image/jpeg. See documentation to allow this combination. |
|
@bouchard in my case it was because I have no "file" library. The lib: https://pkgs.alpinelinux.org/package/edge/main/armhf/file |
This one is specified in the dependencies section: https://github.com/thoughtbot/paperclip#file. @bouchard is that your issue? Or are those the steps to reproduce on any system? |
|
Hello @tute, I'm on OS X, so I've confirmed that my snippet above is a minimal test case that reproduces the issue with Paperclip 5.0.0. rails new test_app
cd test_app
echo "gem 'paperclip'" >> Gemfile
bundle install
rails g model Document
vi app/models/document.rb
# class Document
# has_attached_file :asset,
# styles: { original: ['1920x1920>', :jpg] }
# validates_attachment :asset,
# content_type: { content_type: ['image/jpeg', 'image/png', 'application/pdf'] }
# end
vi db/migrate/.....create_documents.rb
# class CreateDocuments < ActiveRecord::Migration[5.0]
# def change
# create_table :documents do |t|
# t.attachment :asset
# t.timestamps
# end
# end
# end
rails console
> d = Document.new
=> #<Document id: nil, asset_file_name: nil, asset_content_type: nil, asset_file_size: nil, asset_updated_at: nil, created_at: nil, updated_at: nil>
irb(main):002:0> d.asset = File.open('any_pdf_to_test_with.pdf')
Command :: file -b --mime '/var/folders/xx/f61kmnqd013bk598qss8l9_w0000gn/T/5fe0bdbbc39578617959a974b8ad823920160805-20861-16aw80p.pdf'
Command :: identify -format '%wx%h,%[exif:orientation]' '/var/folders/xx/f61kmnqd013bk598qss8l9_w0000gn/T/5fe0bdbbc39578617959a974b8ad823920160805-20861-15q9gk8.pdf[0]' 2>/dev/null
Command :: convert '/var/folders/xx/f61kmnqd013bk598qss8l9_w0000gn/T/5fe0bdbbc39578617959a974b8ad823920160805-20861-15q9gk8.pdf[0]' -auto-orient -resize "1920x1920>" '/var/folders/xx/f61kmnqd013bk598qss8l9_w0000gn/T/fa5987387fddf624f6d24b19ffcc326f20160805-20861-1khzdbg.jpg'
=> #<File:/Users/brady/any_pdf_to_test_with.pdf>
irb(main):003:0> d.save
(0.2ms) begin transaction
Command :: file -b --mime '/var/folders/xx/f61kmnqd013bk598qss8l9_w0000gn/T/5fe0bdbbc39578617959a974b8ad823920160805-20861-ks3fu0.pdf'
[paperclip] Content Type Spoof: Filename any_pdf_to_test_with.pdf (application/pdf from Headers, ["application/pdf"] from Extension), content type discovered from file command: image/jpeg. See documentation to allow this combination.
(0.1ms) rollback transaction
=> false |
|
Adapted fix for Rails 5 ( module MediaTypeSpoofDetectorFix
def spoofed?
return false if calculated_content_type == 'image/jpeg'
super
end
end
module Paperclip
class MediaTypeSpoofDetector
prepend MediaTypeSpoofDetectorFix
end
end |
|
Looks like we found a workaround, closing. |
I am trying to convert a pdf to a jpg but I am getting a spoofing error. For some reason at this line: https://github.com/thoughtbot/paperclip/blob/master/lib/paperclip/validators/media_type_spoof_detection_validator.rb#L8 the
original_filenamestill has the pdf extension hence the spoofing error.I tried to write a test to prove the issue but I am getting loads of errors when trying to run the tests. There is a dependency issue with bourne and mocha first of all. When I got around that there are still loads of random failures.
The text was updated successfully, but these errors were encountered: