Video support about carrierwave-bombshelter HOT 6 OPEN

Just FYI, in Shrine this protection works for any type of file, because you can use generic tools like MimeMagic for extracting the MIME type. The main advantage of Fastimage is that it downloads only the portion of file that it needs in order determine the MIME type, but a downside is that it works only for images.

Since MimeMagic can determine any MIME type from the "magic header", I just needed to figure out how to download only how much of the remote file is needed to determine the MIME type. Since MimeMagic accepts IO objects (which respond to #read), I wanted represent the remote file as an IO-like object. This proved to be a very interesting and challenging task, and after a lot of experimenting and testing I managed to do it.

Down is a gem that Shrine uses for downloading files using net/http, so this is where I added this feature:

require "down"

remote_file = Down.open("http://example.com/image.jpg") # nothing is downloaded yet
remote_file.size # read from the "Content-Length" header

remote_file.read(1024) # downloads and returns first 1 KB
remote_file.read(1024) # downloads and returns next 1 KB

So now you can easily plug it into MimeMagic (or any other tool for determining MIME type from file contents):

remote_file = Down.open("http://example.com/image.jpg")
mime_type = MimeMagic.by_magic(remote_file).type

Since MimeMagic reads only how much it needs, that means that only that much of the file will be downloaded.

from carrierwave-bombshelter.

@DarthSim Happy to help 😃

Just wanted to add that you can still use Fastimage for extracting dimensions, because it also accepts IO objects:

remote_file = Down.open("http://example.com/image.jpg")
mime_type = MimeMagic.by_magic(remote_file).type
remote_file.rewind # we need to rewind what MimeMagic read
dimensions = Fastimage.size(remote_file)

Since the portion that MimeMagic read remains downloaded (it's saved into a Tempfile), you can just rewind the IO and feed it to Fastimage, which will then read the content that was already downloaded (and most likely won't need to download any more). So the behaviour is just like Fastimage, it only downloads the portion of the file once for both MIME type and dimensions.

from carrierwave-bombshelter.

Is there an exploit that uses video files?

from carrierwave-bombshelter.

http://news.softpedia.com/news/zero-day-ffmpeg-vulnerability-lets-anyone-steal-files-from-remote-machines-498880.shtml

from carrierwave-bombshelter.

Thanks for pointing on this. Protection from this bomb may appear in one of the future versions.

from carrierwave-bombshelter.

@janko-m Many thanks for Down, I was looking something like that to use it in BombShelter!

from carrierwave-bombshelter.