3.0.0.beta

Added

• Add basename and fix extension value for fog file (@leductienttkt #2587)
• Allow uploaders to accept unless conditions (@Vpatel1093 #2588)
• Add retry option to download from remote url (@tashirosota #2577)

Deprecated

• #denylist was deprecated to prefer explicitly opting-in (@mshibuya 7a40ef7, #2536)

Changed

• Completely migrate to allowlist/denylist terminology (@mshibuya 7a40ef7, #2536)
• Remove implementation-dependent information from an error message (@akihikodaki #2499)
• Replace mini_mime with marcel (@pjmartorell #2552)
• [BREAKING CHANGE] Change to store files on after_save hook instead of after_commit, with performing cleanup when transaction is rolled back (@fsateler #2546)

Removed

• Drop support for Ruby < 2.5 and Rails 5.x (@mshibuya 229594f)
• Remove support for Merb (@seuros #2566)

Fixed

• Add Workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@mshibuya 65bf0d9, #2628)
• Fix Ruby 2.7 keyword argument warning in uploader process (@nachiket87 #2636, #2635)
• Raise DownloadError when no content is returned (@BrianHawley #2633, #2632)
• Add workaround for the API change in ssrf_filter 1.1 (@BrianHawley #2629, #2625)
• Fix Content-Type not being copied when using fog-google (@smnscp #2614)
• Fix failing to save after limiting the columns with ActiveRecord's #select (@wonda-tea-coffee #2613, #2608)
• Fix content type detection for JSON files (@smnscp #2618)
• Remove invalid byte sequences from the sanitized filename (@alexdunae #2606)
• Fix issue with copying a fog file larger than 5GB (@slonopotamus #2583)
• Stop closing StringIO-based file after CarrierWave::SanitizedFile#read (@aleksandrs-ledovskis #2571)

2.2.2

Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@pjmartorell #2562, #2559)

2.2.1

Changed

• Replace mimemagic with marcel due to licensing concern (@pjmartorell #2551, #2548)

Fixed

• Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@mshibuya 42c620a1, #2532)

2.2.0

Added

• libvips support through ImageProcessing::Vips and ruby-vips (@rhymes #2500, e8421978, 4ae8dc64)
• Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@grantbdev #2442, 4c3cac75, #2491)
• Support for the latest version of RMagick (@mshibuya 88f24451)

Deprecated

• #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@grantbdev #2442, 4c3cac75)

Fixed

• Calculate Fog expiration taking DST into account (@mshibuya, f90e14ca, #2059)
• Set correct content type on copy of fog files (@ZuevEvgenii #2503, 6682f7ac, #2487)
• Fix fog-google support to pass acl_header for public read if fog is public (@yosiat #2525, #2426)
• Fix various URL escape issues by escaping on URI parse error only (@mshibuya 3faf7491, #2457, #2473)
• Fix instance variables @versions_to_* not initialized warning (@mshibuya c10b82ed, #2493)
• Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@mshibuya a42e1b4c, #2495)
• Fix returning invalid content type on text files (@inkstak #2474, #2424)
• Skip content type and extension filters where possible (@alexpooley #2464)
• Fix file's #url being called twice, which might be costly for non-local files (@skyeagle #2519)
• Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@sylvainbx #2489)
• Fix #cached? to return boolean instead of @cache_id value (@kmiyake #2510)
• Fix mime type detection for MS Office files (@anthonypenner #2447)

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 387116f5, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya 012702eb, GHSA-fwcm-636p-68r5)

2.1.1

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 15bcf8d8, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya e0f79e36, GHSA-fwcm-636p-68r5)

1.3.2

Fixed

• Fix Ruby 2.7 deprecations(@aubinlrx #2462)

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya eb9346df, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya 91714add, GHSA-fwcm-636p-68r5)

2.1.0

Added

• Support authenticated_url for Blackblaze provider(@kevivmatrix #2444)

Fixed

• Fix Ruby 2.7 deprecations(@mshibuya 9a37fc9e)
• Fix S3 path-style URL for host with dots for buckets that are placed in other regions than us-east-1(@Bonias #2439)
• Make MiniMagick::Image constant absolute to prevent misleading 'uninitialized constant' error(@p8 #2437)

2.0.2

Fixed

• Fix download causing nil error if the file has empty filename(@fukayatsu #2419, #2411)

2.0.1

Fixed

• Fix #{column}_cache unintentionally removing files on assigning empty string(@mshibuya 22e8005e, #2412)

2.0.0

Added

• Append, reorder, and remove-single-file feature for multiple file uploader(@mshibuya #2401)
• Allow retrieval of uploader index within uploaders(@mshibuya #1771)
• Add ability to customize downloaders(@mshibuya #1636)
• Support internationalized domain names for downloader(@mshibuya #2086)
• Support authenticated_url for Aliyun provider(@Nitrino #2381)
• Support passing options to authenticated_url for OpenStack provider(@stanhu #2377)
• Support authenticated_url for AzureRM provider(@Nitrino #2375)
• Allow custom expires_at when building an authenticated_url(@stephankaag #2397)

Changed

• [BREAKING CHANGE] Use the storage given by storage configuration also for cache_storage unless explicitly specified(@mshibuya 629afecb)
• Improve Fog initialization(@mshibuya #2395)
• [BREAKING CHANGE] Multiple file uploader now keeps successful files on update, only discarding failed ones(@mshibuya 7db9195d)
• [BREAKING CHANGE] #remote_#{column}_urls= was changed to preserve precedent updates(@mshibuya 8f18a95b)
• #serializable_hash now returns string for version keys(@schovi #2246)
• Use the MimeMagic gem to inspect file headers for the mime type. This allows for mitigation of CVE-2016-3714, in combination with a content_type_whitelist(@locriani #1934)
• Replace mime-types dependency with mini_mime to save memory(@bradleypriest #2292)
• Delegate MiniMagick processing to ImageProcessing gem(@janko #2298)
• Handle ActiveRecord transaction correctly, not storing or removing files on rollback(@skosh #2209)

Deprecated

• fog_provider configuration was deprecated and has no effect, just adding fog providers to Gemfile will load them(@mshibuya ca201ee2)
• CarrierWave::Uploader::Base#sanitized_file was deprecated, use #file instead(@mshibuya 28190e99)

Removed

• Remove support for Rails 4.x and Ruby 2.0/2.1 (@mshibuya bada043f)

Fixed

• Fix deleting files twice when marked for removal(@mshibuya 67800fde)
• Fix uploader.cache! loads entire contents of file into memory(@mshibuya #2136)
• Do not trigger *_will_change! when file is not to be removed(@mshibuya #2323)
• Allow deleting all files for multiple file upload(@mshibuya #1990)
• Failing to retrieve unquoted filenames from Content-Disposition(@mshibuya #2364)
• Fix #clean_cache! breaking with old format of cache id(@mshibuya aab402fb)
• Fix #exists? returning true after Fog file deletion(@mshibuya #2387)
• Make #identifier available for a retrieved file(@mshibuya #1581)
• Make cache id generation less predictable(@mshibuya #2326)
• Uploaders not being cleared when #reload or #initialize_dup are overridden in model(@mshibuya #2379)
• Fix #content_type returning false, instead of nil(@longkt90 #2384)
• Preserve connection cache when eagar-loading fog(@dmitryshagin #2383)
• #recreate_versions! ignored :from_version when versions to recreate are given(@hedgesky #1879 #1164)