Re: CVE request: Content type spoofing in ruby gem paperclip <4.2.2

[Reed Loden <reed () reedloden com>]

OSVDB noticed that this seems to be CVE-2015-2963

http://jvn.jp/en/jp/JVN83881261/index.html (no idea why they call it an
XSS)

https://robots.thoughtbot.com/paperclip-security-release is the official
notification and just references the commit message.

~reed

On Thu, Jun 18, 2015 at 1:56 AM, Reed Loden <reed () reedloden com> wrote:

> Saw this in paperclip's NEWS file, and I couldn't find a CVE for it.
>
>
> https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57
>
> """"
> There is an issue where if an HTML file is uploaded with a .html
> extension, but the content type is listed as being `image/jpeg`, this
> will bypass a validation checking for images. But it will also pass the
> spoof check, because a file named .html and containing actual HTML
> passes the spoof check.
>
> This change makes it so that we also check the supplied content type. So
> even if the file contains HTML and ends with .html, it doesn't match the
> content type of `image/jpeg` and so it fails.
> """"
>
> Fixed in paperclip 4.2.2.
>
> ~reed