Hi folks,
I am building secure web application using Ruby on Rails which scans
virus in uploaded file.
Now Currently I can access the tempfile from the
ActionDispatch::Http::UploadedFile instance which Rails creates for
uploaded file and complete scan successfully.
But I want to avoid Rails creating the tempfile as I fear once the virus
affected file stored in tempfile this may infect the system.
What my question is:
Is there any way to tell Rails that ‘Generate the IO stream
instance(string) instead of Tempfile’ ?*
If Rails gives file as IO stream I can use this stream to scan for
Virus.
If something asked fundamentally wrong give me your suggestion.
On Wednesday, 26 September 2012 03:43:15 UTC-4, Soundarapandian
Rathinasamy
wrote:
What my question is:
Is there any way to tell Rails that ‘Generate the IO stream
instance(string) instead of Tempfile’ ?*
If Rails gives file as IO stream I can use this stream to scan for Virus.
I don’t think this is a sensible tradeoff - there are plenty of better
ways
to make sure that temporary files aren’t executable. For instance,
putting
the directory on they’re in on a partition mounted with noexec (or just
NOT
EXECUTING them).
On the other hand, streaming them into memory makes it trivial to
completely DDOS your server, by simply sending a file larger than the
available RAM.
–Matt J.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.