Critical severityNVD Advisory· Published May 23, 2022· Updated Aug 3, 2024
Unrestricted Upload of File with Dangerous Type in publify/publify
CVE-2022-1811
Description
Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | < 9.2.9 | 9.2.9 |
Affected products
1- Range: unspecified
Patches
10fb6b027fbafRefuse html files as resources even if declared to be plain text
2 files changed · +38 −16
publify_core/app/uploaders/resource_uploader.rb+14 −16 modified@@ -4,7 +4,7 @@ class ResourceUploader < CarrierWave::Uploader::Base include CarrierWave::MiniMagick - before :cache, :check_image_content_type! + before :cache, :check_content_type! def content_type_allowlist [%r{image/}, %r{audio/}, %r{video/}, "text/plain"] @@ -37,26 +37,24 @@ def image?(new_file) content_type&.include?("image") end - def check_image_content_type!(new_file) - if image?(new_file) - magic_type = mime_magic_content_type(new_file) - if magic_type != new_file.content_type - raise CarrierWave::IntegrityError, "has MIME type mismatch" - end + def check_content_type!(new_file) + detected_type = if image? new_file + file_content_content_type(new_file) + else + file_content_type(new_file) + end + if detected_type != new_file.content_type + raise CarrierWave::IntegrityError, "has MIME type mismatch" end end private - # NOTE: This method was adapted from MagicMimeBlacklist#extract_content_type - # from CarrierWave 1.0.0 and SanitizedFile#mime_magic_content_type from CarrierWave 0.11.2 - def mime_magic_content_type(new_file) - content_type = nil - - File.open(new_file.path) do |fd| - content_type = Marcel::MimeType.for(fd) - end + def file_content_content_type(new_file) + Marcel::MimeType.for Pathname.new(new_file.path) + end - content_type + def file_content_type(new_file) + Marcel::MimeType.for Pathname.new(new_file.path), name: new_file.filename end end
publify_core/spec/controllers/admin/resources_controller_spec.rb+24 −0 modified@@ -187,6 +187,30 @@ end end + context "when attempting to upload an html file as text/plain" do + let(:upload) { file_upload("just_some.html", "text/plain") } + + it "does not create a new Resource" do + expect { post :upload, params: { upload: upload } }. + not_to change(Resource, :count) + end + + it "warns the user they can't upload this type of file" do + post :upload, params: { upload: upload } + result = assigns(:up) + expect(result.errors[:upload]). + to match_array ["has MIME type mismatch", "can't be blank"] + end + + it "sets the flash to failure" do + post :upload, params: { upload: upload } + aggregate_failures do + expect(flash[:success]).to be_nil + expect(flash[:warning]).not_to be_nil + end + end + end + context "when uploading nothing" do it "does not create a new Resource" do expect { post :upload }.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3hwx-c6cp-q972ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1811ghsaADVISORY
- github.com/publify/publify/commit/0fb6b027fbaf17f6a6551f2148482a03eac12927ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-1811.ymlghsaWEB
- huntr.dev/bounties/4d97f665-c9f1-4c38-b774-692255a7c44cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.