CVE-2021-21305: carrierwave/CHANGELOG.md at master · carrierwaveuploader/carrierwave

Carrierwave History/Changelog

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

[Unreleased]****Removed

• Remove support for Merb (@seuros #2566)

2.2.2 - 2021-05-28****Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@pjmartorell #2562, #2559)

2.2.1 - 2021-03-30****Changed

• Replace mimemagic with marcel due to licensing concern (@pjmartorell #2551, #2548)

Fixed

• Fog storage’s #clean_cache! breaks when non-cache objects exist in cache_dir (@mshibuya 42c620a1, #2532)

2.2.0 - 2021-02-23****Added

• libvips support through ImageProcessing::Vips and ruby-vips (@rhymes #2500, e8421978, 4ae8dc64)
• Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@grantbdev #2442, 4c3cac75, #2491)
• Support for the latest version of RMagick (@mshibuya 88f24451)

Deprecated

• #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@grantbdev #2442, 4c3cac75)

Fixed

• Calculate Fog expiration taking DST into account (@mshibuya, f90e14ca, #2059)
• Set correct content type on copy of fog files (@ZuevEvgenii #2503, 6682f7ac, #2487)
• Fix fog-google support to pass acl_header for public read if fog is public (@yosiat #2525, #2426)
• Fix various URL escape issues by escaping on URI parse error only (@mshibuya 3faf7491, #2457, #2473)
• Fix instance variables @versions_to_* not initialized warning (@mshibuya c10b82ed, #2493)
• Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@mshibuya a42e1b4c, #2495)
• Fix returning invalid content type on text files (@inkstak #2474, #2424)
• Skip content type and extension filters where possible (@alexpooley #2464)
• Fix file’s #url being called twice, which might be costly for non-local files (@skyeagle #2519)
• Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@sylvainbx #2489)
• Fix #cached? to return boolean instead of @cache_id value (@kmiyake #2510)
• Fix mime type detection for MS Office files (@anthonypenner #2447)

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 387116f5, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya 012702eb, GHSA-fwcm-636p-68r5)

2.1.1 - 2021-02-08****Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 15bcf8d8, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya e0f79e36, GHSA-fwcm-636p-68r5)

2.1.0 - 2020-02-16****Added

• Support authenticated_url for Blackblaze provider(@kevivmatrix #2444)

Fixed

• Fix Ruby 2.7 deprecations(@mshibuya 9a37fc9e)
• Fix S3 path-style URL for host with dots for buckets that are placed in other regions than us-east-1(@Bonias #2439)
• Make MiniMagick::Image constant absolute to prevent misleading ‘uninitialized constant’ error(@p8 #2437)

2.0.2 - 2019-09-28****Fixed

• Fix download causing nil error if the file has empty filename(@fukayatsu #2419, #2411)

2.0.1 - 2019-08-31****Fixed

• Fix #{column}_cache unintentionally removing files on assigning empty string(@mshibuya 22e8005e, #2412)

2.0.0 - 2019-08-18

No changes.

2.0.0.rc - 2019-06-23****Added

• Append, reorder, and remove-single-file feature for multiple file uploader(@mshibuya #2401)
• Allow retrieval of uploader index within uploaders(@mshibuya #1771)
• Add ability to customize downloaders(@mshibuya #1636)
• Support internationalized domain names for downloader(@mshibuya #2086)
• Support authenticated_url for Aliyun provider(@Nitrino #2381)
• Support passing options to authenticated_url for OpenStack provider(@stanhu #2377)
• Support authenticated_url for AzureRM provider(@Nitrino #2375)
• Allow custom expires_at when building an authenticated_url(@stephankaag #2397)

Changed

• [BREAKING CHANGE] Use the storage given by storage configuration also for cache_storage unless explicitly specified(@mshibuya 629afecb)
• Improve Fog initialization(@mshibuya #2395)
• [BREAKING CHANGE] Multiple file uploader now keeps successful files on update, only discarding failed ones(@mshibuya 7db9195d)
• [BREAKING CHANGE] #remote_#{column}_urls= was changed to preserve precedent updates(@mshibuya 8f18a95b)
• #serializable_hash now returns string for version keys(@schovi #2246)
• Use the MimeMagic gem to inspect file headers for the mime type. This allows for mitigation of CVE-2016-3714, in combination with a content_type_whitelist(@locriani #1934)
• Replace mime-types dependency with mini_mime to save memory(@bradleypriest #2292)
• Delegate MiniMagick processing to ImageProcessing gem(@janko #2298)
• Handle ActiveRecord transaction correctly, not storing or removing files on rollback(@skosh #2209)

Deprecated

• fog_provider configuration was deprecated and has no effect, just adding fog providers to Gemfile will load them(@mshibuya ca201ee2)
• CarrierWave::Uploader::Base#sanitized_file was deprecated, use #file instead(@mshibuya 28190e99)

Removed

• Remove support for Rails 4.x and Ruby 2.0/2.1 (@mshibuya bada043f)

Fixed

• Fix deleting files twice when marked for removal(@mshibuya 67800fde)
• Fix uploader.cache! loads entire contents of file into memory(@mshibuya #2136)
• Do not trigger *_will_change! when file is not to be removed(@mshibuya #2323)
• Allow deleting all files for multiple file upload(@mshibuya #1990)
• Failing to retrieve unquoted filenames from Content-Disposition(@mshibuya #2364)
• Fix #clean_cache! breaking with old format of cache id(@mshibuya aab402fb)
• Fix #exists? returning true after Fog file deletion(@mshibuya #2387)
• Make #identifier available for a retrieved file(@mshibuya #1581)
• Make cache id generation less predictable(@mshibuya #2326)
• Uploaders not being cleared when #reload or #initialize_dup are overridden in model(@mshibuya #2379)
• Fix #content_type returning false, instead of nil(@longkt90 #2384)
• Preserve connection cache when eagar-loading fog(@dmitryshagin #2383)
• #recreate_versions! ignored :from_version when versions to recreate are given(@hedgesky #1879 #1164)

1.3.2 - 2021-02-08****Fixed

• Fix Ruby 2.7 deprecations(@aubinlrx #2462)

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya eb9346df, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya 91714add, GHSA-fwcm-636p-68r5)

1.3.1 - 2018-12-29****Fixed

• Fix #url_options_supported? causing nil error(@mshibuya 0b9a64a1, #2361)

1.3.0 - 2018-12-24****Added

• Query parameter support for fog-google(@stanhu #2332)
• Jets Turbine Support(@tongueroo #2355)
• Add allowed_types to content_type_whitelist_error(@mhluska #2270)

Fixed

• S3 HTTPS url causes certificate issue when bucket name contains period(@ransombriggs #2359)
• Failed to get image dimensions when image is cached but not stored yet(@artygus #2349)
• Only include x-amz-acl header for AWS(@stanhu #2356)
• Remove old caches when no space is left on disk(@dosuken123 #2342)

1.2.3 - 2018-06-30****Fixed

• Fix reading whole content of large files into memory on storing(@dosuken123 #2314)

1.2.2 - 2018-01-02****Fixed

• Reset Content-Type on converting file format(@kyoshidajp #2237)

1.2.1 - 2017-10-04****Fixed

• Locale check breaks when a Symbol is given to available_locales(@mshibuya #2234)

1.2.0 - 2017-09-30****Added

• Added Proc Support for Width and Height(@tomprats #2169)

Changed

• Decode unicode filenames from URL(@fedorkk #2131)
• Change file size of error message to human size(@aki77 #2199)

Fixed

• Bundled en translation was not loaded by default, causing translation missing(@mshibuya 95ce39d3)
• Remove potentially redundant HEAD request on checking fog file existence(@eritiro #2140)
• Failing with uninitialized constant if uri is not loaded(@jasdeepsingh #2223)
• RMagick cloud not process remotely stored files(@zog #2185)
• Check if files are identical via FS rather than name before move(@riffraff #2191)
• Regexp extension_whitelist is also case-insensitive now(@vmdhoke #2201)
• Use __send__ instead of send (@dminuoso #2178)

1.1.0 - 2017-04-30****Added

• Rails 5.1 compatibility(@paulsturgess #2130, #2133)
• Support for process callback(@cfcosta #2045)
• S3 Transfer Acceleration support(@krekoten #2108)
• Allow non-argument options to be passed in mini magick combine_options(@krismartin #2097)

Fixed

• Stop falling back to en locale when I18n is missing(@kryzhovnik #2083)
• Allow nagative timestamp in cache id(@NickOttrando #2092)
• Avoid calling file.url twice(@lukeasrodgers #2078)
• Content Type being reset when moving cached file(@dweinand #2117)

1.0.0 - 2016-12-24

No changes.

1.0.0.rc - 2016-10-30****Added

• Ability to set custom request headers on downloading remote URL(@mendab1e #2006)

Changed

• Re-enable public_url optimization for Google Cloud Storage(@nikz #2039)

Fixed

• Fix clean_cache! deleting unexpired files due to RegExp mismatch(@t-oginogin #2036)

1.0.0.beta - 2016-09-08****Added

• Rails 5 support (@mshibuya)
• Add #width and #height methods to the RMagick processor (@mehlah #1805)
• Add a test matcher for the format (@yanivpr #1758)
• Support of MiniMagick’s Combine options (@bernabas #1754)
• Validate with the actual content-type of files (@eavgerinos)
• Support for multiple file uploads with mount_uploaders method (@jnicklas and @lisarutan #1481)
• Add a cache_only configuration option, useful for testing (@jeffkreeftmeijer #1456)
• Add #width and #height methods to MiniMagick processor (@ShivaVS #1405)
• Support for jRuby (@lephyrius #1377)
• Make cache storage configurable (@mshibuya #1312)
• Errors on file size (@gautampunhani #1026)

Changed

• Blank uploaders are now memoized on the model instance (@DarthSim #1860)
• #content_type_whitelist and extension_whitelist now takes either a string, a regexp, or an array of values (same thing for blacklists) (@mehlah #1825)
• [BREAKING CHANGE] Rename extension_white_list ~> extension_whitelist (@mehlah #1819)
• [BREAKING CHANGE] Rename extension_black_list ~> extension_blacklist (@mehlah #1819)
• [BREAKING CHANGE] Rename i18n keys extension_black_list_error ~> extension_blacklist_error and extension_white_list_error ~> extension_whitelist_error (@mehlah)
• Accept an array of strings or regexps to white/blacklist content types (@mehlah #1816)
• Add counter to cache_id (@thomasfedb #1797)
• [BREAKING CHANGE] Allow non-ASCII filename by default (@shuhei #1772)
• [BREAKING CHANGE] to_json behavior changed when serializing an uploader (@jnicklas and @lisarutan #1481)
• Better error when the configured storage is unknown (@st0012 #1779)
• Allow to pass additionnal options to Rackspace authenticated_url (@duhast #1722)
• Reduced memory footprint (@schneems #1652, @simonprev #1706)
• Improve Fog Loading (@plribeiro3000 #1620, @eavgerinos)
• All locales from config.i18n.available_locales are added to load_path (@printercu #1521)
• Do not display RMagick exception in I18n message (manuelpradal #1361)
• [BREAKING CHANGE] #default_url now accepts the same args passed to #url (@shekibobo #1347)

Removed

• All locale files other than en are now in carrierwave-i18n (@mehlah #1848)
• Remove CarrierWave::MagicMimeTypes processor module (@mehlah #1816)
• Remove dependency on ruby-filemagic in white/blacklist content types (@mehlah #1816)
• Remove CarrierWave::MimeTypes processor module (@mehlah #1813)
• Remove support for Rails 3.2 and Ruby 1.8/1.9 (@bensie 2517d668)

Fixed

• Don’t raise an error when content_type is called on a deleted file (@jvenezia #1915)
• #remove_previous fails to detect equality when mount_on option is set (@mshibuya 44cfb7c0)
• Fix Mounter.blank? method (@Bonias #1746)
• Reset remove_#{column} after invoking remove_#{column} (@eavgerinos #1668)
• Change Google’s url to the public_url (@m7moud #1683)
• Do not write to ActiveModel::Dirty changes when assigning something blank to a mounter that was originally blank (@eavgerinos #1635)
• Various grammar and typos fixes to error messages translations
• Don’t error when size is called on a deleted file (@danielevans #1561)
• Flush mounters on #dup of active record model (@danielevans #1544)
• Fog::File.read returns its contents after upload instead of “closed stream” error (@stormsilver #1517)
• Don’t read file twice when calling sanitized_file or cache! (@felixbuenemann #1476)
• Change image extension when converting formats (@nashby #1446)
• Fix file delete being called twice on remove (@adamcrown #1441)
• RSpec 3 support (@randoum #1421, @akiomik #1370)
• MiniMagick convert to a format all the pages by default and accept an optional page number parameter to convert specific pages (@harikrishnan83 #1408)
• Fix cache workfile collision between versions (@jvdp #1399)
• Reset mounter cache on record reload (@semenyukdmitriy #1383)
• Retrieve only active versions of files (@filipegiusti #1351)
• Fix default gravity in MiniMagick resize_and_pad (@abevoelker #1358)
• Skip loading RMagick if already loaded (@mshibuya #1346)
• Make the #remove_#{column} accessor set the mounted column as changed (@nikz #1326)
• Tempfile and @content_type assignment (@bensie #1487)

0.11.0 - 2016-03-29****Added****Changed

• cache_id is now less collision-prone thanks to a counter (@stillwaiting and @mtsmfm #1866)

Removed****Fixed

• Fix require RMagick deprecation warning (@thomasfedb and @bensie #1788)

0.10.0 - 2014-02-26

Please check 0.10-stable for previous changes.