There was an issue in the paperclip gem where if an HTML file was uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. The commit message illustrates that it’s not enough to look at the file extension and the supplied content type, but you should also look at the file contents itself (using the file command).
This serves just as an example for content spoofing and it needs to be validated in other file upload gems, too.