Rails,如何再次使CarrierWave再次上传SVG?
我正在升级3到7的Rails应用程序。随着新应用程序载波停止,接受SVG文件以进行上传。以前,我可以在不处理此设置的情况下上传SVG文件,而无需处理版本:
class LogoUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
include CarrierWave::MimeTypes
process :set_content_type
storage :file
def store_dir
"uploads/#{model.class.to_s.underscore}/#{model.id}"
end
end
因为Carriwave Set_Content_Type的0.11.0版本似乎已被弃用。这使我的SVG上传器仅仅:
class LogoUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
storage :file
def store_dir
"uploads/#{model.class.to_s.underscore}/#{model.id}"
end
def content_type_allowlist
[/image\//]
end
end
我不想转换SVG,并且上传受保护,仅适用于管理员。目前,我没有超越提交按钮。
尝试上传时,我现在得到以下响应:
Started PATCH "/admin/logos/18" for ::1 at 2022-06-18 10:01:19 +0200
Processing by Admin::LogosController#update as TURBO_STREAM
Parameters: {"authenticity_token"=>"[FILTERED]", "logo"=>{"file_name"=>#<ActionDispatch::Http::UploadedFile:0x00007ff1803932c0 @tempfile=#<Tempfile:/var/folders/yg/pfjwzpkx5wq9d27svk760h0h0000gn/T/RackMultipart20220618-29575-j47l79.svg>, @original_filename="some-name.svg", @content_type="image/svg+xml", @headers="Content-Disposition: form-data; name=\"logo[file_name]\"; filename=\"some-name.svg\"\r\nContent-Type: image/svg+xml\r\n">}, "commit"=>"Save", "id"=>"18"}
...
Completed 200 OK in 92ms (Views: 10.5ms | ActiveRecord: 0.5ms | Allocations: 8188)
我尝试添加[/image \/svg+xml //]> content_type_allowlist并超出了提交按钮,但收到了错误“ nil位置”提供的。
Parameters:
{"_method"=>"patch",
"authenticity_token"=>"[FILTERED]",
"logo"=>
{"file_name"=>
#<ActionDispatch::Http::UploadedFile:0x00007fb111dae5c0
@content_type="image/svg+xml",
@headers="Content-Disposition: form-data; name=\"logo[file_name]\"; filename=\"some-name.svg\"\r\n" + "Content-Type: image/svg+xml\r\n",
@original_filename="some-name.svg",
@tempfile=#<File:/var/folders/yg/pfjwzpkx5wq9d27svk760h0h0000gn/T/RackMultipart20220618-86477-ij7mr4.svg>>},
"commit"=>"Save",
"id"=>"18"}
我想我遇到了CVE-2016-3714缓解载体。在 rubydocs 使用RSVG代表进行SVG处理。
如何禁用ImageMagick的默认SVG委托?如何使用RSVG委托?
先感谢您。
I am upgrading a Rails app fro 3 to 7. With the new App Carrierwave stopped to accept SVG files for upload. Previously I could upload svg files, without processing and the creation of versions with this setting:
class LogoUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
include CarrierWave::MimeTypes
process :set_content_type
storage :file
def store_dir
"uploads/#{model.class.to_s.underscore}/#{model.id}"
end
end
Since version 0.11.0 of Carriwave set_content_type appears to have been deprecated. Which leaves my SVG Uploader with just:
class LogoUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
storage :file
def store_dir
"uploads/#{model.class.to_s.underscore}/#{model.id}"
end
def content_type_allowlist
[/image\//]
end
end
I do not want to convert the svg and the upload is protected and only available to admins. Currently I do not get beyond the submit button.
When trying to upload I now get the following response:
Started PATCH "/admin/logos/18" for ::1 at 2022-06-18 10:01:19 +0200
Processing by Admin::LogosController#update as TURBO_STREAM
Parameters: {"authenticity_token"=>"[FILTERED]", "logo"=>{"file_name"=>#<ActionDispatch::Http::UploadedFile:0x00007ff1803932c0 @tempfile=#<Tempfile:/var/folders/yg/pfjwzpkx5wq9d27svk760h0h0000gn/T/RackMultipart20220618-29575-j47l79.svg>, @original_filename="some-name.svg", @content_type="image/svg+xml", @headers="Content-Disposition: form-data; name=\"logo[file_name]\"; filename=\"some-name.svg\"\r\nContent-Type: image/svg+xml\r\n">}, "commit"=>"Save", "id"=>"18"}
...
Completed 200 OK in 92ms (Views: 10.5ms | ActiveRecord: 0.5ms | Allocations: 8188)
I tried to add [/image\/svg+xml//] to the content_type_allowlist and got beyond the submit button, but received the error "Nil location provided. Can't build URI."
Parameters:
{"_method"=>"patch",
"authenticity_token"=>"[FILTERED]",
"logo"=>
{"file_name"=>
#<ActionDispatch::Http::UploadedFile:0x00007fb111dae5c0
@content_type="image/svg+xml",
@headers="Content-Disposition: form-data; name=\"logo[file_name]\"; filename=\"some-name.svg\"\r\n" + "Content-Type: image/svg+xml\r\n",
@original_filename="some-name.svg",
@tempfile=#<File:/var/folders/yg/pfjwzpkx5wq9d27svk760h0h0000gn/T/RackMultipart20220618-86477-ij7mr4.svg>>},
"commit"=>"Save",
"id"=>"18"}
I guess I have encountered the Carrierwave CVE-2016-3714 mitigation. In RubyDocs they say to either disable ImageMagick's default SVG delegate or use RSVG delegate for SVG processing.
How can I disable ImageMagick's default SVG delegate? How do I use RSVG delegate?
Thank you in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我发现,就我的情况而言,它与ImageMagick无关,而是与Rails 5引入的属性的验证
。这意味着,在我的设置(无SVG文件的转换)中,您仍然可以上传SVG。
我仍然很好奇有人在Ubuntu和MacOS上都必须如何配置ImageMagick。如果您知道,请分享...
I discovered that in my case it was not related to ImageMagick, but to the validation of belongs_to associations introduced with Rails 5.
I had to put optional: true in the logo model and now it is uploading again. This means, that in my setting (no conversion of svg files) you can still upload svgs.
I am still curious how someone would have to configure ImageMagick both on Ubuntu and MacOS. If you know, please share ...