FileUpload without Tempfile

luislavena · April 8, 2011, 1:40pm

I am looking for a way to upload a file to Rails 3 app, but without
generating a temp file. Googling the issue gave me some insight in how
the file upload works. As I understand Rails creates a temp file when
the file size is larger than 20kb. Is there a way to change this limit
and avoid the temp file generation?

Another solution I was looking in was creating a Rack App and so avoid
the file generation, however, didn’t work either. Same with a Sinatra
app.

Btw. yes it is mandatory that the file is not saved and only kept in
memory for security reasons.

Thanks

jah4711 · April 8, 2011, 2:14pm

Thanks for pointing out that it is in Rack. Brings me one step closer
to a solution.

On Apr 8, 2:00pm, Chris M. [email protected] wrote:

app.

What you’ve discovered is that it’s not really Rails or Sinatra that’s
creating the Tempfile – it’s Rack:

rack/lib/rack/utils.rb at main · rack/rack · GitHub

I think you’ll need to dig down to that web server - app interface
level if you want to amend this.

I am not sure what you mean with ‘to that web server’

jah4711 · April 8, 2011, 2:01pm

On 8 April 2011 12:38, Helmut J. [email protected] wrote:

I am looking for a way to upload a file to Rails 3 app, but without
generating a temp file. Googling the issue gave me some insight in how
the file upload works. As I understand Rails creates a temp file when
the file size is larger than 20kb. Is there a way to change this limit
and avoid the temp file generation?

Another solution I was looking in was creating a Rack App and so avoid
the file generation, however, didn’t work either. Same with a Sinatra
app.

What you’ve discovered is that it’s not really Rails or Sinatra that’s
creating the Tempfile – it’s Rack:

github.com

rack/rack/blob/main/lib/rack/utils.rb#L483


      
            end
          
          
  def context(env, app = @app)
              recontext(app).call(env)
            end
          end
          
          
# Every standard HTTP code mapped to the appropriate message.
          # Generated with:
          #   curl -s https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv | \
          #     ruby -ne 'm = /^(\d{3}),(?!Unassigned|\(Unused\))([^,]+)/.match($_) and \
          #               puts "#{m[1]} => \x27#{m[2].strip}\x27,"'
          HTTP_STATUS_CODES = {
            100 => 'Continue',
            101 => 'Switching Protocols',
            102 => 'Processing',
            103 => 'Early Hints',
            200 => 'OK',
            201 => 'Created',
            202 => 'Accepted',
            203 => 'Non-Authoritative Information',

I think you’ll need to dig down to that web server - app interface
level if you want to amend this.

Chris

jah4711 · April 8, 2011, 2:27pm

On 8 Apr 2011, at 13:13, Helmut J. [email protected] wrote:

and avoid the temp file generation?
I think you’ll need to dig down to that web server - app interface
level if you want to amend this.

I am not sure what you mean with ‘to that web server’

Sorry, badly worded. I meant that it’s happening at the interface
between the web server and your app; in this case that’s where Rack
lives.

Chris

jah4711 · April 8, 2011, 5:26pm

On Apr 8, 2:22pm, Frederick C. [email protected]
wrote:

Fred

Thanks Fred for pointin to tmpfs, however, using tmpfs would also
allow that the file can be read by anyone with access

jah4711 · April 8, 2011, 2:24pm

On Apr 8, 12:38pm, Helmut J. [email protected] wrote:

Another solution I was looking in was creating a Rack App and so avoid
the file generation, however, didn’t work either. Same with a Sinatra
app.

Btw. yes it is mandatory that the file is not saved and only kept in
memory for security reasons.

Is it enough for /tmp to be something like tmpfs (ie non persistent) ?

Fred

jah4711 · May 9, 2011, 10:53am

Btw. yes it is mandatory that the file is not saved and only kept in
memory for security reasons.

You could unlink the Tempfile right after creation, as mentioned here:
http://www.ruby-doc.org/stdlib/libdoc/tempfile/rdoc/classes/Tempfile.html

That will prevent any other process to get hands on that file.

Mike

jah4711 · April 8, 2011, 5:49pm

I tried to hack into Rack, however, so far I was not able to avoid
creating a tempfile.