Merge pull request from GHSA-9928-3cp5-93fm

* Fix attachments getting processed despite failing content-type validation * Add a restrictive ImageMagick security policy tailored for Mastodon * Fix misdetection of MP3 files with large cover art * Reject unprocessable audio/video files instead of keeping them unchanged
author: Claire <claire.github-309c@sitedethib.com> 2023-07-06 15:05:05 +0200
committer: Starfall <us@starfall.systems> 2023-07-07 11:45:48 -0500
commit: c58ab80b976410b51bc5520b00a98dcdc256dee3 (patch)
tree: 30f37474642eb7d8120c82b6dd534fb43806d5df /app/models/concerns
parent: 5ddae512857eb143ff91741f4a35c186fac1036e (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/app/models/concerns/attachmentable.rb b/app/models/concerns/attachmentable.rb
index d44c22438..28591ab72 100644
--- a/app/models/concerns/attachmentable.rb
+++ b/app/models/concerns/attachmentable.rb
@@ -22,15 +22,14 @@ module Attachmentable
 
   included do
     def self.has_attached_file(name, options = {}) # rubocop:disable Naming/PredicateName
-      options = { validate_media_type: false }.merge(options)
       super(name, options)
-      send(:"before_#{name}_post_process") do
+
+      send(:"before_#{name}_validate") do
         attachment = send(name)
         check_image_dimension(attachment)
         set_file_content_type(attachment)
         obfuscate_file_name(attachment)
         set_file_extension(attachment)
-        Paperclip::Validators::MediaTypeSpoofDetectionValidator.new(attributes: [name]).validate(self)
       end
     end
   end
author	Claire <claire.github-309c@sitedethib.com>	2023-07-06 15:05:05 +0200
committer	Starfall <us@starfall.systems>	2023-07-07 11:45:48 -0500
commit	c58ab80b976410b51bc5520b00a98dcdc256dee3 (patch)
tree	30f37474642eb7d8120c82b6dd534fb43806d5df /app/models/concerns
parent	5ddae512857eb143ff91741f4a35c186fac1036e (diff)