Headline
CVE-2021-21305: carrierwave/CHANGELOG.md at master · carrierwaveuploader/carrierwave
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The “#manipulate!” method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
Carrierwave History/Changelog
All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
[Unreleased]****Removed
- Remove support for Merb (@seuros #2566)
2.2.2 - 2021-05-28****Fixed
- Fix
no implicit conversion of CSV into String
error when parsing a CSV object (@pjmartorell #2562, #2559)
2.2.1 - 2021-03-30****Changed
- Replace mimemagic with marcel due to licensing concern (@pjmartorell #2551, #2548)
Fixed
- Fog storage’s #clean_cache! breaks when non-cache objects exist in cache_dir (@mshibuya 42c620a1, #2532)
2.2.0 - 2021-02-23****Added
- libvips support through ImageProcessing::Vips and ruby-vips (@rhymes #2500, e8421978, 4ae8dc64)
- Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@grantbdev #2442, 4c3cac75, #2491)
- Support for the latest version of RMagick (@mshibuya 88f24451)
Deprecated
#(content_type|extension)_whitelist
,#(content_type|extension)_blacklist
are deprecated. Use#(content_type|extension)_allowlist
and#(content_type|extension)_denylist
instead (@grantbdev #2442, 4c3cac75)
Fixed
- Calculate Fog expiration taking DST into account (@mshibuya, f90e14ca, #2059)
- Set correct content type on copy of fog files (@ZuevEvgenii #2503, 6682f7ac, #2487)
- Fix fog-google support to pass acl_header for public read if fog is public (@yosiat #2525, #2426)
- Fix various URL escape issues by escaping on URI parse error only (@mshibuya 3faf7491, #2457, #2473)
- Fix instance variables
@versions_to_*
not initialized warning (@mshibuya c10b82ed, #2493) - Fix
SanitizedFile#move_to
wrongly detects content_type based on the path before move (@mshibuya a42e1b4c, #2495) - Fix returning invalid content type on text files (@inkstak #2474, #2424)
- Skip content type and extension filters where possible (@alexpooley #2464)
- Fix file’s
#url
being called twice, which might be costly for non-local files (@skyeagle #2519) - Fix mime type detection failing with types which contain
+
symbol, such asimage/svg+xml
(@sylvainbx #2489) - Fix
#cached?
to return boolean instead of@cache_id
value (@kmiyake #2510) - Fix mime type detection for MS Office files (@anthonypenner #2447)
Security
- Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 387116f5, GHSA-cf3w-g86h-35x4)
- Fix SSRF vulnerability in the remote file download feature (@mshibuya 012702eb, GHSA-fwcm-636p-68r5)
2.1.1 - 2021-02-08****Security
- Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 15bcf8d8, GHSA-cf3w-g86h-35x4)
- Fix SSRF vulnerability in the remote file download feature (@mshibuya e0f79e36, GHSA-fwcm-636p-68r5)
2.1.0 - 2020-02-16****Added
- Support authenticated_url for Blackblaze provider(@kevivmatrix #2444)
Fixed
- Fix Ruby 2.7 deprecations(@mshibuya 9a37fc9e)
- Fix S3 path-style URL for host with dots for buckets that are placed in other regions than us-east-1(@Bonias #2439)
- Make MiniMagick::Image constant absolute to prevent misleading ‘uninitialized constant’ error(@p8 #2437)
2.0.2 - 2019-09-28****Fixed
- Fix download causing nil error if the file has empty filename(@fukayatsu #2419, #2411)
2.0.1 - 2019-08-31****Fixed
- Fix
#{column}_cache
unintentionally removing files on assigning empty string(@mshibuya 22e8005e, #2412)
2.0.0 - 2019-08-18
No changes.
2.0.0.rc - 2019-06-23****Added
- Append, reorder, and remove-single-file feature for multiple file uploader(@mshibuya #2401)
- Allow retrieval of uploader index within uploaders(@mshibuya #1771)
- Add ability to customize downloaders(@mshibuya #1636)
- Support internationalized domain names for downloader(@mshibuya #2086)
- Support authenticated_url for Aliyun provider(@Nitrino #2381)
- Support passing options to authenticated_url for OpenStack provider(@stanhu #2377)
- Support authenticated_url for AzureRM provider(@Nitrino #2375)
- Allow custom expires_at when building an authenticated_url(@stephankaag #2397)
Changed
- [BREAKING CHANGE] Use the storage given by
storage
configuration also forcache_storage
unless explicitly specified(@mshibuya 629afecb) - Improve Fog initialization(@mshibuya #2395)
- [BREAKING CHANGE] Multiple file uploader now keeps successful files on update, only discarding failed ones(@mshibuya 7db9195d)
- [BREAKING CHANGE]
#remote_#{column}_urls=
was changed to preserve precedent updates(@mshibuya 8f18a95b) #serializable_hash
now returns string for version keys(@schovi #2246)- Use the MimeMagic gem to inspect file headers for the mime type. This allows for mitigation of CVE-2016-3714, in combination with a
content_type_whitelist
(@locriani #1934) - Replace mime-types dependency with mini_mime to save memory(@bradleypriest #2292)
- Delegate MiniMagick processing to ImageProcessing gem(@janko #2298)
- Handle ActiveRecord transaction correctly, not storing or removing files on rollback(@skosh #2209)
Deprecated
fog_provider
configuration was deprecated and has no effect, just adding fog providers toGemfile
will load them(@mshibuya ca201ee2)CarrierWave::Uploader::Base#sanitized_file
was deprecated, use#file
instead(@mshibuya 28190e99)
Removed
- Remove support for Rails 4.x and Ruby 2.0/2.1 (@mshibuya bada043f)
Fixed
- Fix deleting files twice when marked for removal(@mshibuya 67800fde)
- Fix
uploader.cache!
loads entire contents of file into memory(@mshibuya #2136) - Do not trigger *_will_change! when file is not to be removed(@mshibuya #2323)
- Allow deleting all files for multiple file upload(@mshibuya #1990)
- Failing to retrieve unquoted filenames from Content-Disposition(@mshibuya #2364)
- Fix
#clean_cache!
breaking with old format of cache id(@mshibuya aab402fb) - Fix
#exists?
returning true after Fog file deletion(@mshibuya #2387) - Make
#identifier
available for a retrieved file(@mshibuya #1581) - Make cache id generation less predictable(@mshibuya #2326)
- Uploaders not being cleared when
#reload
or#initialize_dup
are overridden in model(@mshibuya #2379) - Fix
#content_type
returning false, instead of nil(@longkt90 #2384) - Preserve connection cache when eagar-loading fog(@dmitryshagin #2383)
#recreate_versions!
ignored:from_version
when versions to recreate are given(@hedgesky #1879 #1164)
1.3.2 - 2021-02-08****Fixed
- Fix Ruby 2.7 deprecations(@aubinlrx #2462)
Security
- Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya eb9346df, GHSA-cf3w-g86h-35x4)
- Fix SSRF vulnerability in the remote file download feature (@mshibuya 91714add, GHSA-fwcm-636p-68r5)
1.3.1 - 2018-12-29****Fixed
- Fix
#url_options_supported?
causing nil error(@mshibuya 0b9a64a1, #2361)
1.3.0 - 2018-12-24****Added
- Query parameter support for fog-google(@stanhu #2332)
- Jets Turbine Support(@tongueroo #2355)
- Add
allowed_types
tocontent_type_whitelist_error
(@mhluska #2270)
Fixed
- S3 HTTPS url causes certificate issue when bucket name contains period(@ransombriggs #2359)
- Failed to get image dimensions when image is cached but not stored yet(@artygus #2349)
- Only include
x-amz-acl
header for AWS(@stanhu #2356) - Remove old caches when no space is left on disk(@dosuken123 #2342)
1.2.3 - 2018-06-30****Fixed
- Fix reading whole content of large files into memory on storing(@dosuken123 #2314)
1.2.2 - 2018-01-02****Fixed
- Reset Content-Type on converting file format(@kyoshidajp #2237)
1.2.1 - 2017-10-04****Fixed
- Locale check breaks when a Symbol is given to available_locales(@mshibuya #2234)
1.2.0 - 2017-09-30****Added
- Added Proc Support for Width and Height(@tomprats #2169)
Changed
- Decode unicode filenames from URL(@fedorkk #2131)
- Change file size of error message to human size(@aki77 #2199)
Fixed
- Bundled en translation was not loaded by default, causing translation missing(@mshibuya 95ce39d3)
- Remove potentially redundant HEAD request on checking fog file existence(@eritiro #2140)
- Failing with uninitialized constant if uri is not loaded(@jasdeepsingh #2223)
- RMagick cloud not process remotely stored files(@zog #2185)
- Check if files are identical via FS rather than name before move(@riffraff #2191)
- Regexp
extension_whitelist
is also case-insensitive now(@vmdhoke #2201) - Use
__send__
instead ofsend
(@dminuoso #2178)
1.1.0 - 2017-04-30****Added
- Rails 5.1 compatibility(@paulsturgess #2130, #2133)
- Support for
process
callback(@cfcosta #2045) - S3 Transfer Acceleration support(@krekoten #2108)
- Allow non-argument options to be passed in mini magick combine_options(@krismartin #2097)
Fixed
- Stop falling back to en locale when I18n is missing(@kryzhovnik #2083)
- Allow nagative timestamp in cache id(@NickOttrando #2092)
- Avoid calling
file.url
twice(@lukeasrodgers #2078) - Content Type being reset when moving cached file(@dweinand #2117)
1.0.0 - 2016-12-24
No changes.
1.0.0.rc - 2016-10-30****Added
- Ability to set custom request headers on downloading remote URL(@mendab1e #2006)
Changed
- Re-enable
public_url
optimization for Google Cloud Storage(@nikz #2039)
Fixed
- Fix
clean_cache!
deleting unexpired files due to RegExp mismatch(@t-oginogin #2036)
1.0.0.beta - 2016-09-08****Added
- Rails 5 support (@mshibuya)
- Add
#width
and#height
methods to the RMagick processor (@mehlah #1805) - Add a test matcher for the format (@yanivpr #1758)
- Support of MiniMagick’s Combine options (@bernabas #1754)
- Validate with the actual content-type of files (@eavgerinos)
- Support for multiple file uploads with
mount_uploaders
method (@jnicklas and @lisarutan #1481) - Add a
cache_only
configuration option, useful for testing (@jeffkreeftmeijer #1456) - Add
#width
and#height
methods to MiniMagick processor (@ShivaVS #1405) - Support for jRuby (@lephyrius #1377)
- Make cache storage configurable (@mshibuya #1312)
- Errors on file size (@gautampunhani #1026)
Changed
- Blank uploaders are now memoized on the model instance (@DarthSim #1860)
#content_type_whitelist
andextension_whitelist
now takes either a string, a regexp, or an array of values (same thing for blacklists) (@mehlah #1825)- [BREAKING CHANGE] Rename
extension_white_list
~>extension_whitelist
(@mehlah #1819) - [BREAKING CHANGE] Rename
extension_black_list
~>extension_blacklist
(@mehlah #1819) - [BREAKING CHANGE] Rename i18n keys
extension_black_list_error
~>extension_blacklist_error
andextension_white_list_error
~>extension_whitelist_error
(@mehlah) - Accept an array of strings or regexps to white/blacklist content types (@mehlah #1816)
- Add counter to cache_id (@thomasfedb #1797)
- [BREAKING CHANGE] Allow non-ASCII filename by default (@shuhei #1772)
- [BREAKING CHANGE]
to_json
behavior changed when serializing an uploader (@jnicklas and @lisarutan #1481) - Better error when the configured storage is unknown (@st0012 #1779)
- Allow to pass additionnal options to Rackspace
authenticated_url
(@duhast #1722) - Reduced memory footprint (@schneems #1652, @simonprev #1706)
- Improve Fog Loading (@plribeiro3000 #1620, @eavgerinos)
- All locales from
config.i18n.available_locales
are added to load_path (@printercu #1521) - Do not display RMagick exception in I18n message (manuelpradal #1361)
- [BREAKING CHANGE]
#default_url
now accepts the same args passed to#url
(@shekibobo #1347)
Removed
- All locale files other than
en
are now in carrierwave-i18n (@mehlah #1848) - Remove
CarrierWave::MagicMimeTypes
processor module (@mehlah #1816) - Remove dependency on
ruby-filemagic
in white/blacklist content types (@mehlah #1816) - Remove
CarrierWave::MimeTypes
processor module (@mehlah #1813) - Remove support for Rails 3.2 and Ruby 1.8/1.9 (@bensie 2517d668)
Fixed
- Don’t raise an error when content_type is called on a deleted file (@jvenezia #1915)
- #remove_previous fails to detect equality when mount_on option is set (@mshibuya 44cfb7c0)
- Fix
Mounter.blank?
method (@Bonias #1746) - Reset
remove_#{column}
after invokingremove_#{column}
(@eavgerinos #1668) - Change Google’s url to the
public_url
(@m7moud #1683) - Do not write to
ActiveModel::Dirty
changes when assigning something blank to a mounter that was originally blank (@eavgerinos #1635) - Various grammar and typos fixes to error messages translations
- Don’t error when size is called on a deleted file (@danielevans #1561)
- Flush mounters on
#dup
of active record model (@danielevans #1544) Fog::File.read
returns its contents after upload instead of “closed stream” error (@stormsilver #1517)- Don’t read file twice when calling
sanitized_file
orcache!
(@felixbuenemann #1476) - Change image extension when converting formats (@nashby #1446)
- Fix file delete being called twice on remove (@adamcrown #1441)
- RSpec 3 support (@randoum #1421, @akiomik #1370)
- MiniMagick convert to a format all the pages by default and accept an optional page number parameter to convert specific pages (@harikrishnan83 #1408)
- Fix cache workfile collision between versions (@jvdp #1399)
- Reset mounter cache on record reload (@semenyukdmitriy #1383)
- Retrieve only active versions of files (@filipegiusti #1351)
- Fix default gravity in MiniMagick
resize_and_pad
(@abevoelker #1358) - Skip loading RMagick if already loaded (@mshibuya #1346)
- Make the
#remove_#{column}
accessor set the mounted column as changed (@nikz #1326) - Tempfile and @content_type assignment (@bensie #1487)
0.11.0 - 2016-03-29****Added****Changed
cache_id
is now less collision-prone thanks to a counter (@stillwaiting and @mtsmfm #1866)
Removed****Fixed
- Fix require RMagick deprecation warning (@thomasfedb and @bensie #1788)
0.10.0 - 2014-02-26
Please check 0.10-stable for previous changes.