Date: Thu, 18 Jun 2015 23:12:12 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: CVE request: Content type spoofing in ruby gem paperclip <4.2.2 OSVDB noticed that this seems to be CVE-2015-2963 http://jvn.jp/en/jp/JVN83881261/index.html (no idea why they call it an XSS) https://robots.thoughtbot.com/paperclip-security-release is the official notification and just references the commit message. ~reed On Thu, Jun 18, 2015 at 1:56 AM, Reed Loden <reed@...dloden.com> wrote: > Saw this in paperclip's NEWS file, and I couldn't find a CVE for it. > > > https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57 > > """" > There is an issue where if an HTML file is uploaded with a .html > extension, but the content type is listed as being `image/jpeg`, this > will bypass a validation checking for images. But it will also pass the > spoof check, because a file named .html and containing actual HTML > passes the spoof check. > > This change makes it so that we also check the supplied content type. So > even if the file contains HTML and ends with .html, it doesn't match the > content type of `image/jpeg` and so it fails. > """" > > Fixed in paperclip 4.2.2. > > ~reed >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ