Protect your Rails app from PNG bomb attacks
A new Carrierwave plugin to check “real” image size bypassing ImageMagick (which may be fooled by a PNG bomb): https://github.com/DarthSim/carrierwave-bombshelter
This is what a PNG bomb works like: https://www.bamsoftware.com/hacks/deflate.html
You can’t be sure to check for image size with ImageMagick/lib_png (cause this is where the bomb gets triggered), so you need something secure, like the “fastimage” gem.
Comments
You may fix the broken link (dot at the end of the link): https://www.bamsoftware.com/hacks/deflate.html.
@MLESZCZ thanks!
Post a comment