ADVISORIES

• OSVDB-103151
• Vendor Advisory

GEM

paperclip

PATCHED VERSIONS

• >= 4.0.0

DESCRIPTION

Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly validate the file extension, instead only validating the Content-Type header during file uploads. This may allow a remote attacker to bypass restrictions on file types for uploaded files by spoofing the content-type.

RELATED

• https://thoughtbot.com/blog/prevent-spoofing-with-paperclip
• https://www.theregister.com/2014/02/09/content_type_spoofing_bug_in_ror_paperclip
• https://security.snyk.io/vuln/SNYK-RUBY-PAPERCLIP-20144
• http://osvdb.org/show/osvdb/103151