Merge pull request from GHSA-9928-3cp5-93fm

* Fix attachments getting processed despite failing content-type validation * Add a restrictive ImageMagick security policy tailored for Mastodon * Fix misdetection of MP3 files with large cover art * Reject unprocessable audio/video files instead of keeping them unchanged
author: Claire <claire.github-309c@sitedethib.com> 2023-07-06 15:05:05 +0200
committer: Starfall <us@starfall.systems> 2023-07-07 11:45:48 -0500
commit: c58ab80b976410b51bc5520b00a98dcdc256dee3 (patch)
tree: 30f37474642eb7d8120c82b6dd534fb43806d5df /config/initializers
parent: 5ddae512857eb143ff91741f4a35c186fac1036e (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/config/initializers/paperclip.rb b/config/initializers/paperclip.rb
index bd37f6709..ca600346a 100644
--- a/config/initializers/paperclip.rb
+++ b/config/initializers/paperclip.rb
@@ -161,3 +161,10 @@ unless defined?(Seahorse)
     end
   end
 end
+
+# Set our ImageMagick security policy, but allow admins to override it
+ENV['MAGICK_CONFIGURE_PATH'] = begin
+  imagemagick_config_paths = ENV.fetch('MAGICK_CONFIGURE_PATH', '').split(File::PATH_SEPARATOR)
+  imagemagick_config_paths << Rails.root.join('config', 'imagemagick').expand_path.to_s
+  imagemagick_config_paths.join(File::PATH_SEPARATOR)
+end
author	Claire <claire.github-309c@sitedethib.com>	2023-07-06 15:05:05 +0200
committer	Starfall <us@starfall.systems>	2023-07-07 11:45:48 -0500
commit	c58ab80b976410b51bc5520b00a98dcdc256dee3 (patch)
tree	30f37474642eb7d8120c82b6dd534fb43806d5df /config/initializers
parent	5ddae512857eb143ff91741f4a35c186fac1036e (diff)