whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ru...@apache.org
Subject [whimsy] branch master updated: possible workaround for ImageMagick CVE-2016-3714 fix
Date Thu, 25 Oct 2018 17:50:17 GMT
This is an automated email from the ASF dual-hosted git repository.

rubys pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new abba07f  possible workaround for ImageMagick CVE-2016-3714 fix
abba07f is described below

commit abba07f85f15c880d613f0076145c2fc4fa5313f
Author: Sam Ruby <rubys@intertwingly.net>
AuthorDate: Thu Oct 25 13:49:28 2018 -0400

    possible workaround for ImageMagick CVE-2016-3714 fix
    
    https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-error-constitute-c-readimage-453
---
 www/secretary/workbench/models/attachment.rb | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/www/secretary/workbench/models/attachment.rb b/www/secretary/workbench/models/attachment.rb
index ebe44a5..08dffbf 100644
--- a/www/secretary/workbench/models/attachment.rb
+++ b/www/secretary/workbench/models/attachment.rb
@@ -49,14 +49,15 @@ class Attachment
   end
 
   def as_pdf
-    file = SafeTempFile.new([safe_name, '.pdf'])
+    ext = File.extname(name).downcase
+    ext = '.pdf' if content_type.end_with? '/pdf'
+    ext.untaint if ext =~ /^\.\w+$/
+
+    file = SafeTempFile.new([safe_name, ext])
     file.write(body)
     file.rewind
 
-    return file if content_type.end_with? '/pdf'
-    return file if name.end_with? '.pdf'
-
-    ext = File.extname(name).downcase
+    return file if ext == '.pdf'
 
     if IMAGE_TYPES.include? ext or content_type.start_with? 'image/'
       pdf = SafeTempFile.new([safe_name, '.pdf'])


Mime
View raw message