What does @cloudinary do to prevent malicious users from arbitrary file uploads through the client side image API? Is there any configuration that is required to ensure that arbitrary file uploads are blocked?
Asked
Active
Viewed 235 times
2 Answers
0
If you use Cloudinary's uploader, you can specify the allowed file types in upload():
Cloudinary::Uploader.upload('image.jpg', allowed_formats: ['jpg', 'jpeg', 'gif', 'png'])
If you use CarrierWave, then you can whitelist the file types that are allowed. For example:
class ImageUploader < CarrierWave::Uploader::Base
include Cloudinary::CarrierWave
def extension_white_list
%w(jpg jpeg gif png)
end
end
Gergo Erdosi
- 40,904
- 21
- 118
- 94
-
What about client side uploads? – dyln May 23 '14 at 22:27
-
You can use `acceptFileTypes`, here is an example: https://github.com/cloudinary/cloudinary_js#client-side-image-resizing-before-upload – Gergo Erdosi May 23 '14 at 22:36
-
Thanks! But I still need to do something to prevent users who change this property in their browser... is there a Cloudinary side (server-side) setting that makes sure the endpoint only accepts images? – dyln May 23 '14 at 23:55
-
I don't think there is a Cloudinary setting for that. But why is this is a problem? If the file is not an image, Cloudinary will return an error on upload. If the file is an image, you can convert it to any format: http://cloudinary.com/documentation/image_transformations#format_conversion – Gergo Erdosi May 24 '14 at 00:02
0
You can set an upload preset and set it as your default upload preset. This can be defined from within your upload settings page: https://cloudinary.com/console/settings/upload
The upload preset can include lots of upload related parameters, such as allowed formats, incoming transformations, eager transformations and much more.
That way, no matter if the user changed your client-side code, only allowed formats defined in your upload presets will be allowed for upload.
Itay Taragano
- 1,901
- 1
- 11
- 12