2

I'm building a Rails application with file upload functionality and only authenticated users are allowed to upload files. The file upload form is in the members only area but since it is easy enough to grab the upload URL and attempt to post data from a script I am concerned about unauthenticated file upload submissions. Sure the upload would get rejected but only after the data transfer has completed and valuable bandwidth got wasted. How can I reject unauthenticated file uploads before the entire form has been submitted to my server? Since I can't control users using scripts or CURL this would require some sort of server side solution. I appreciate any feedback. Thanks.

SimKo
  • 21
  • 1

1 Answers1

0

This is a simple pseudo-code on what you could do.. The before_filter is executed before the action is executed (upload_form_action being the upload form page, and upload_action being the page that recieves the file

allowed_to_upload should be helper/function/etc that returns true/false, if it's false, it will render 403 unauthorized, otherwise it will just skimp on.

before_filter :check_upload, :only => [:upload_form_action, :upload_action]

protected
  def check_upload
    render :nothing, :status => 403 and return unless allowed_to_upload
  end
nvez
  • 663
  • 5
  • 9
  • I currently have a similar before_filter setup that checks whether the user is signed in or not. If the user is not signed in then it just redirects the user. I tried your code but the authentication always takes place after the file was fully uploaded. Imagine a savvy user grabbing the form from the html source (including authenticity token and all) and using that to try to upload files (without the cookie that contains the authentication info). The authentication before_filter will reject the further processing of the file since the user is not signed in but not the actual upload – SimKo Feb 28 '11 at 03:23
  • The issue with this is that the request is not processed by Rails until it's complete (which is when the upload is finished). However, I suspect you can send a 1GB upload request to any page and you can't do much about it.. I'll need to take a look to this – nvez Feb 28 '11 at 18:08
  • Yeah, I had an inkling that this might be the case. Really what I need is a way to check the cookie before the file upload is finished and then terminate the upload. I wonder if it's possible to process the post before it's fully done. Cookies are sent ahead of form data so there might be an opportunity there to inspect the post to see if a cookie with authentication data is present while the form data is streaming to the server. Perhaps with some Rack customization? I wonder if the web server is buffering the entire post before handing it off though. – SimKo Feb 28 '11 at 21:11
  • @SimKo I have a feeling that it's dependant on the type of setup that you have, that the data will either be buffered or it will be loaded all then sent again to the handler. Nothing other than testing could solve this.. – nvez Mar 01 '11 at 15:33
  • Alright. Thanks for your assistance nvez. I know it's possible somehow. I've seen Amazon S3 do it when the authentication signature in their custom HTTP header is incorrect. They simply cut the file upload part way. – SimKo Mar 02 '11 at 01:53