Flash image upload security with Ruby on Rails
When uploading a file through Flash every file comes through as with it’s .content_type as ‘application/octet-stream’ so you can’t check it using traditional methods*.
You can limit what kind of file is uploaded in ActionScript:
var allTypes:Array = new Array();
var imageTypes:Object = new Object();
imageTypes.description = “Images (*.jpg, *.jpeg, *.gif, *.png)”;
imageTypes.extension = “*.jpg; *.jpeg; *.gif; *.png”;
allTypes.push(imageTypes);
fileRef.browse(allTypes);
This isn’t secure yet because someone could still change the extension of a malicious file. Most file uploads are images so you can use RMagick to detect if the file is an image:
If the file isn’t an image Rails will bug out and you’ll get an ‘onHTTPError’ returned to Flash, which you can then handle gracefully by alerting the user of the error.
*Note: even when checking a file’s content_type it’s possible for someone to fake it. This is just one of many file ’sanitizations’ that you should apply to any upload.
Like this post? subscribe to the feed.
At what point does the RMagick ruby code get called? And where might you put it?
Is it possible to call some ruby on a file as it i being uploaded?
If this *was* possible, then maybe we could use ruby to monitor if the file size goes over a certain limit?
Comment by Katie — December 18, 2006 @ 11:09 pm
The RMagick code gets called after the file has been uploaded and it goes in your controller or model (whichever is handling file uploads).
It’s possible to check the size in Flash before you send the file ( file.size http://livedocs.macromedia.com/flash/8/main/00002223.html )
If you still want to call a Ruby method as a file is being uploaded you could use Flash remoting ( http://blog.vixiom.com/2006/08/23/flash-remoting-for-rails-tutorial/ )
Comment by KreeK — December 19, 2006 @ 8:06 am