Flash image upload security with Ruby on Rails

When uploading a file through Flash every file comes through as with it’s .content_type as ‘application/octet-stream’ so you can’t check it using traditional methods*.

You can limit what kind of file is uploaded in ActionScript:

var allTypes:Array = new Array();
        var imageTypes:Object = new Object();
        imageTypes.description = "Images (*.jpg, *.jpeg, *.gif, *.png)";
        imageTypes.extension = "*.jpg; *.jpeg; *.gif; *.png";
        allTypes.push(imageTypes);

        fileRef.browse(allTypes);

This isn’t secure yet because someone could still change the extension of a malicious file. Most file uploads are images so you can use RMagick to detect if the file is an image:

img = Magick::Image::read(path_to_file).first

If the file isn’t an image Rails will bug out and you’ll get an ‘onHTTPError’ returned to Flash, which you can then handle gracefully by alerting the user of the error.

*Note: even when checking a file’s content_type it’s possible for someone to fake it. This is just one of many file ’sanitizations’ that you should apply to any upload.

This entry was written by Alastair, posted on December 18, 2006 at 7:29 am, filed under ActionScript, Ruby on Rails. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

© Copyright 2006 - 2012 Alastair Dawson

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

2 Comments

  1. Katie
    Posted December 18, 2006 at 11:09 pm | Permalink

    At what point does the RMagick ruby code get called? And where might you put it?

    Is it possible to call some ruby on a file as it i being uploaded?

    If this *was* possible, then maybe we could use ruby to monitor if the file size goes over a certain limit?

  2. KreeK
    Posted December 19, 2006 at 8:06 am | Permalink

    The RMagick code gets called after the file has been uploaded and it goes in your controller or model (whichever is handling file uploads).

    It’s possible to check the size in Flash before you send the file ( file.size http://livedocs.macromedia.com/flash/8/main/00002223.html )

    If you still want to call a Ruby method as a file is being uploaded you could use Flash remoting ( http://blog.vixiom.com/2006/08/23/flash-remoting-for-rails-tutorial/ )

Post a Comment

Your email is never shared. Required fields are marked *

*
*

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word