Headline
CVE-2022-1811: Refuse html files as resources even if declared to be plain text · publify/publify@0fb6b02
Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9.
@@ -4,7 +4,7 @@
class ResourceUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
before :cache, :check_image_content_type!
before :cache, :check_content_type!
def content_type_allowlist
[%r{image/}, %r{audio/}, %r{video/}, “text/plain”]
@@ -37,26 +37,24 @@ def image?(new_file)
content_type&.include?(“image”)
end
def check_image_content_type!(new_file)
if image?(new_file)
magic_type = mime_magic_content_type(new_file)
if magic_type != new_file.content_type
raise CarrierWave::IntegrityError, “has MIME type mismatch”
end
def check_content_type!(new_file)
detected_type = if image? new_file
file_content_content_type(new_file)
else
file_content_type(new_file)
end
if detected_type != new_file.content_type
raise CarrierWave::IntegrityError, “has MIME type mismatch”
end
end
private
# NOTE: This method was adapted from MagicMimeBlacklist#extract_content_type
# from CarrierWave 1.0.0 and SanitizedFile#mime_magic_content_type from CarrierWave 0.11.2
def mime_magic_content_type(new_file)
content_type = nil
File.open(new_file.path) do |fd|
content_type = Marcel::MimeType.for(fd)
end
def file_content_content_type(new_file)
Marcel::MimeType.for Pathname.new(new_file.path)
end
content_type
def file_content_type(new_file)
Marcel::MimeType.for Pathname.new(new_file.path), name: new_file.filename
end
end