Egor Homakov recently brought to my attention a slight problem with how
Paperclip handles some content type validations. Namely, if an attacker puts
an entire HTML page into the EXIF tag of a completely valid JPEG and named the
file “gotcha.html”, they…

Read more at the source