RubyFlow The Ruby and Rails community linklog

Protect your Rails app from PNG bomb attacks

by Yaroslav Markin

A new Carrierwave plugin to check “real” image size bypassing ImageMagick (which may be fooled by a PNG bomb): https://github.com/DarthSim/carrierwave-bombshelter

This is what a PNG bomb works like: https://www.bamsoftware.com/hacks/deflate.html

You can’t be sure to check for image size with ImageMagick/lib_png (cause this is where the bomb gets triggered), so you need something secure, like the “fastimage” gem.

Comments

You may fix the broken link (dot at the end of the link): https://www.bamsoftware.com/hacks/deflate.html.

mleszcz

@MLESZCZ thanks!

Yaroslav Markin

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in