This is an automated email from the ASF dual-hosted git repository.
rubys pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new abba07f possible workaround for ImageMagick CVE-2016-3714 fix
abba07f is described below
commit abba07f85f15c880d613f0076145c2fc4fa5313f
Author: Sam Ruby <[email protected]>
AuthorDate: Thu Oct 25 13:49:28 2018 -0400
possible workaround for ImageMagick CVE-2016-3714 fix
https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-error-constitute-c-readimage-453
---
www/secretary/workbench/models/attachment.rb | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/www/secretary/workbench/models/attachment.rb
b/www/secretary/workbench/models/attachment.rb
index ebe44a5..08dffbf 100644
--- a/www/secretary/workbench/models/attachment.rb
+++ b/www/secretary/workbench/models/attachment.rb
@@ -49,14 +49,15 @@ class Attachment
end
def as_pdf
- file = SafeTempFile.new([safe_name, '.pdf'])
+ ext = File.extname(name).downcase
+ ext = '.pdf' if content_type.end_with? '/pdf'
+ ext.untaint if ext =~ /^\.\w+$/
+
+ file = SafeTempFile.new([safe_name, ext])
file.write(body)
file.rewind
- return file if content_type.end_with? '/pdf'
- return file if name.end_with? '.pdf'
-
- ext = File.extname(name).downcase
+ return file if ext == '.pdf'
if IMAGE_TYPES.include? ext or content_type.start_with? 'image/'
pdf = SafeTempFile.new([safe_name, '.pdf'])
