SECURITY: force IM decoder based on file extension - part 3

This commit is contained in:
Régis Hanol 2018-07-25 23:55:06 +02:00
parent 01714e40f4
commit aeaf6b5a7c
2 changed files with 10 additions and 10 deletions

View File

@ -123,7 +123,7 @@ class OptimizedImage < ActiveRecord::Base
def self.prepend_decoder!(path)
extension = File.extname(path)[1..-1]
raise Discourse::InvalidAccess unless extension[IM_DECODERS]
path = "#{extension}:#{path}"
"#{extension}:#{path}"
end
def self.thumbnail_or_resize
@ -133,8 +133,8 @@ class OptimizedImage < ActiveRecord::Base
def self.resize_instructions(from, to, dimensions, opts = {})
ensure_safe_paths!(from, to)
prepend_decoder!(from)
prepend_decoder!(to)
from = prepend_decoder!(from)
to = prepend_decoder!(to)
# NOTE: ORDER is important!
%W{
@ -170,8 +170,8 @@ class OptimizedImage < ActiveRecord::Base
def self.crop_instructions(from, to, dimensions, opts = {})
ensure_safe_paths!(from, to)
prepend_decoder!(from)
prepend_decoder!(to)
from = prepend_decoder!(from)
to = prepend_decoder!(to)
%W{
convert
@ -205,8 +205,8 @@ class OptimizedImage < ActiveRecord::Base
def self.downsize_instructions(from, to, dimensions, opts = {})
ensure_safe_paths!(from, to)
prepend_decoder!(from)
prepend_decoder!(to)
from = prepend_decoder!(from)
to = prepend_decoder!(to)
%W{
convert

View File

@ -140,8 +140,8 @@ class UploadCreator
OptimizedImage.ensure_safe_paths!(from, to)
OptimizedImage.prepend_decoder!(from)
OptimizedImage.prepend_decoder!(to)
from = OptimizedImage.prepend_decoder!(from)
to = OptimizedImage.prepend_decoder!(to)
begin
execute_convert(from, to)
@ -220,7 +220,7 @@ class UploadCreator
path = @file.path
OptimizedImage.ensure_safe_paths!(path)
OptimizedImage.prepend_decoder!(path)
path = OptimizedImage.prepend_decoder!(path)
Discourse::Utils.execute_command('convert', path, '-auto-orient', path)