回形针：内容类型欺骗试图上传 .gpx 文件答案

【问题标题】：Paperclip: Content Type Spoof trying to upload .gpx files回形针：内容类型欺骗试图上传 .gpx 文件
【发布时间】：2023-04-03 06:56:02
【问题描述】：

抱歉，如果这个问题已经得到解答，但我没有找到它。任何方向将不胜感激。

使用 Rails 4.1.4、Paperclip 4.2.0 和 Simple Form 3.0.2。

在Submit 之后，我在表单错误消息中得到has an extension that does not match its contents 输出。

在服务器窗口中：

Started POST "/routes" for 127.0.0.1 at 2014-08-28 15:18:25 +0700
Processing by RoutesController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"5BCHGBkwQH4mlnTVjy/PpD53mJKJpSmBXwXT/oul7yY=", "route"=>{"track_attributes"=>{"gpx"=>#<ActionDispatch::Http::UploadedFile:0x007fa89c9cd348 @tempfile=#<Tempfile:/var/folders/_g/6shs5yrj36n960wpt880ysl80000gn/T/RackMultipart20140828-42106-vi71nb>, @original_filename="Serge's tracks.gpx", @content_type="application/octet-stream", @headers="Content-Disposition: form-data; name=\"route[track_attributes][gpx]\"; filename=\"Serge's tracks.gpx\"\r\nContent-Type: application/octet-stream\r\n">}, "title"=>"Serge track", "description"=>"loop of hang dong", "distance"=>"", "total_ascent"=>""}, "commit"=>"Create Route"}
Command :: file -b --mime '/var/folders/_g/6shs5yrj36n960wpt880ysl80000gn/T/f55fe48e09c9cc3ee6c6271fe94f407520140828-42106-1hgpby7.gpx'
[paperclip] Content Type Spoof: Filename Serge's_tracks.gpx ([]), content type discovered from file command: application/xml. See documentation to allow this combination.
(0.3ms)  BEGIN
Command :: file -b --mime '/var/folders/_g/6shs5yrj36n960wpt880ysl80000gn/T/f55fe48e09c9cc3ee6c6271fe94f407520140828-42106-62bkvh.gpx'
[paperclip] Content Type Spoof: Filename Serge's_tracks.gpx ([]), content type discovered from file command: application/xml. See documentation to allow this combination.
(0.8ms)  ROLLBACK

我无法在 Paperclip 文档中找到上述文档。运行file Serge\'s\ tracks.gpx --mime-type -b 产生application/xml

我的 MVC 看起来像这样：

class Track < ActiveRecord::Base
  belongs_to :route
  has_attached_file :gpx
  validates_attachment_content_type :gpx, :content_type => /application\/xml/
end

class Route < ActiveRecord::Base
  has_one :track, dependent: :destroy
  accepts_nested_attributes_for :track
  validates :title, presence: true
end

里面RoutesController

def new
  @route       = Route.new
  @route.track = Track.new
end

def create
  @route = Route.new(route_params)
end

def route_params
  params.require(:route).permit(:title, :description, :distance, :total_ascent, track_attributes: [:gpx])
end

simple_form：

= simple_form_for @route do |r|
  = r.simple_fields_for :track do |t|
    = t.input :gpx
  = r.input :title
  = r.input :description
  = r.input :distance
  = r.input :total_ascent
  = r.button :submit

【问题讨论】：

标签： ruby-on-rails paperclip paperclip-validation

【解决方案1】：

正如这篇文章中提到的：Paperclip gem spoofing error? 和这篇文章http://robots.thoughtbot.com/prevent-spoofing-with-paperclip，通过明显绕过Paperclip 调用的命令file -b --mime-type 解决了这个问题。

为此，我在config/initializers 中创建了一个paperclip.rb 文件。

Paperclip.options[:content_type_mappings] = {
  :gpx => 'application/xml'
}

虽然问题解决了，但我仍然对file 命令返回正确结果时为什么存在问题感到困惑，并且好奇参数中的@content_type="application/octet-stream" 来自哪里。

【讨论】：

浏览器将发送文件的内容类型设置为application/octet-stream，在多部分形式的数据中你会发现这样的东西：------WebKitFormBoundaryA2iOCbqaDYB10L3e Content-Disposition: form-data; name="track[kml_file]"; filename="track.kml" Content-Type: application/octet-stream
感谢 ToniTornado，啊 - 几年后重温这一点，我现在明白了。