Comments (6)
Just FYI, in Shrine this protection works for any type of file, because you can use generic tools like MimeMagic for extracting the MIME type. The main advantage of Fastimage is that it downloads only the portion of file that it needs in order determine the MIME type, but a downside is that it works only for images.
Since MimeMagic can determine any MIME type from the "magic header", I just needed to figure out how to download only how much of the remote file is needed to determine the MIME type. Since MimeMagic accepts IO objects (which respond to #read
), I wanted represent the remote file as an IO-like object. This proved to be a very interesting and challenging task, and after a lot of experimenting and testing I managed to do it.
Down is a gem that Shrine uses for downloading files using net/http, so this is where I added this feature:
require "down"
remote_file = Down.open("http://example.com/image.jpg") # nothing is downloaded yet
remote_file.size # read from the "Content-Length" header
remote_file.read(1024) # downloads and returns first 1 KB
remote_file.read(1024) # downloads and returns next 1 KB
So now you can easily plug it into MimeMagic (or any other tool for determining MIME type from file contents):
remote_file = Down.open("http://example.com/image.jpg")
mime_type = MimeMagic.by_magic(remote_file).type
Since MimeMagic reads only how much it needs, that means that only that much of the file will be downloaded.
from carrierwave-bombshelter.
@DarthSim Happy to help
Just wanted to add that you can still use Fastimage for extracting dimensions, because it also accepts IO objects:
remote_file = Down.open("http://example.com/image.jpg")
mime_type = MimeMagic.by_magic(remote_file).type
remote_file.rewind # we need to rewind what MimeMagic read
dimensions = Fastimage.size(remote_file)
Since the portion that MimeMagic read remains downloaded (it's saved into a Tempfile), you can just rewind the IO and feed it to Fastimage, which will then read the content that was already downloaded (and most likely won't need to download any more). So the behaviour is just like Fastimage, it only downloads the portion of the file once for both MIME type and dimensions.
from carrierwave-bombshelter.
Is there an exploit that uses video files?
from carrierwave-bombshelter.
from carrierwave-bombshelter.
Thanks for pointing on this. Protection from this bomb may appear in one of the future versions.
from carrierwave-bombshelter.
@janko-m Many thanks for Down, I was looking something like that to use it in BombShelter!
from carrierwave-bombshelter.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from carrierwave-bombshelter.