Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 18 Jun 2015 23:12:12 -0700
From: Reed Loden <>
	Assign a CVE Identifier <>
Subject: Re: CVE request: Content type spoofing in ruby gem paperclip <4.2.2

OSVDB noticed that this seems to be CVE-2015-2963 (no idea why they call it an
XSS) is the official
notification and just references the commit message.


On Thu, Jun 18, 2015 at 1:56 AM, Reed Loden <> wrote:

> Saw this in paperclip's NEWS file, and I couldn't find a CVE for it.
> """"
> There is an issue where if an HTML file is uploaded with a .html
> extension, but the content type is listed as being `image/jpeg`, this
> will bypass a validation checking for images. But it will also pass the
> spoof check, because a file named .html and containing actual HTML
> passes the spoof check.
> This change makes it so that we also check the supplied content type. So
> even if the file contains HTML and ends with .html, it doesn't match the
> content type of `image/jpeg` and so it fails.
> """"
> Fixed in paperclip 4.2.2.
> ~reed

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ