CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
The validation in
allowlisted_content_type? determines Content-Type permissions by performing a partial match.
content_type argument of
allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the
content_type_allowlist will be allowed.
In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.
When validating with
allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(
\A) the Content-Type set in
content_type_allowlist, preventing unintentional permission of
text/html;image/png when you want to allow only