Thursday, September 27, 2012
On Wednesday, 26 September 2012 03:43:15 UTC-4, Soundarapandian Rathinasamy wrote:
Hi folks,
I am building secure web application using Ruby on Rails which scans virus in uploaded file.
Now Currently I can access the tempfile from the ActionDispatch::Http::UploadedFile instance which Rails creates for uploaded file and complete scan successfully.
But I want to avoid Rails creating the tempfile as I fear once the virus affected file stored in tempfile this may infect the system.
What my question is:
Is there any way to tell Rails that 'Generate the IO stream instance(string) instead of Tempfile' ?
If Rails gives file as IO stream I can use this stream to scan for Virus.
I don't think this is a sensible tradeoff - there are plenty of better ways to make sure that temporary files aren't executable. For instance, putting the directory on they're in on a partition mounted with noexec (or just NOT EXECUTING them).
On the other hand, streaming them into memory makes it trivial to completely DDOS your server, by simply sending a file larger than the available RAM.
--Matt Jones
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/n_uUkbUZbWEJ.
For more options, visit https://groups.google.com/groups/opt_out.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment