tags:

views:

77

answers:

1
+1  Q: 

file_field is not sticky in my Rails form

I have a pretty standard Rails form:

<div>
    <h1>Create a New Listing</h1>
    <%- form_for @listing, :html => {:multipart => true} do |f| -%>
                    <div><%= f.label :title, "Title:"%> <%= f.text_field :title %></div>
            <div>
                <%= f.label :image, "Image:" %> <%= f.file_field :image 
            </div>
            <div>
                <%= f.label :sound, "Sound Clip:"%> <%= f.file_field :sound %><br />
            </div>
        <div class="submit"><%= f.submit 'Post Listing' %></div>
    <%- end -%>
</div>

When a user chooses a file, but the form fails for validation purposes, he must always re-select the file. It is not sticky. Any suggestion on how to fix this?

Thanks!

+2  A: 

You can't make the file field sticky, I think. Even if Rails provides the initial value, most browsers will just ignore it (or otherwise, some smart-aleck could set the default file to /etc/passwd, and if you don't pay attention, next thing you know your box is rooted.

The best you can do that I can think of is set a flag that says a file has already been uploaded, so if the user does not select another one, use the one already sent in the last request.

UPDATE: You'd be surprised how many people have no security skills whatsoever. I've known people to use a browser as root. However, "why" is not exactly an issue - the important point I was trying to make is just that it's not Rails's fault, the problem most likely lies in the browser behaviour.

You can read an article that says it better than I can...

UPDATE 2: "Your box is rooted" should say "the user's box is rooted". The scenario I describe is this: User submits a file innocent.txt and a CAPTCHA. Malicious server responds CAPTCHA is wrong, enter it again, and covertly changes the file from innocent.txt to ~/.ssh/id_rsa. User does not look at the file field (he already put in the correct value there), so just redoes the CAPTCHA and pushes submit. Now the server has the user's private SSH key.

Amadan  2010-06-10 04:01:29
"some smart-aleck could set the default file to /etc/passwd" ...wouldn't the web server need to have root access to do that? I don't provide that security hole.
Tony  2010-06-10 04:13:32
also, how would that be different than the user just doing that anyway...with a POST request to my app? seems like this issue is separate from stickiness
Tony  2010-06-10 04:14:54
The difference is that if user does it, it is directly the person's responsibility. If the page "tricks" a person to upload something he wouldn't want to upload (okay, maybe `~/.ssh/id_rsa` is a better example that `/etc/passwd`), sure, the person could pay more attention, but I'd blame the web page.
Amadan  2010-06-10 04:32:48
Basically, the same difference between a person giving his credit card to his spendthrifty wife, and getting it stolen from his pocket in the train. In the first case, it's his own fault. In the second, he could have paid attention, but I'd blame the pickpocket.
Amadan  2010-06-10 04:39:41
Oh, I just noticed where we misunderstood each other. By "your box is rooted" I actually meant the impersonal "yours" - i.e. the user's (not your server).
Amadan  2010-06-10 04:44:02
yea i took that literally, thanks for the clarification
Tony  2010-06-11 11:54:42

related questions

Infopath 2007 - Emailed forms not rendering correctly
What can prevent an MS Access 2000 form from closing?
Form library
Trigger update on DataTable bound to DataGridView
What's a clean/simple way to ensure the security of a page?
How to best merge information, at a server, into a "form", a PDF being generated as the final output
In HTML, what should happen to a selected, disabled option element?
What's the state of play with "Visual Inheritance"
ASP.NET MVC Preview 4 - Stop Url.RouteUrl() etc. using existing parameters
HTTP POST question - I'm stuck
InfoPath 2003 and the xs:any type
Retrieving HTTP status code from loaded iframe with Javascript
Data model for a extensible web form
.Net Compact Framework scrollbars - horizontal always show when vertical shows
MVC - where to implement form validation (server-side)?
Offline forms
MVC .Net - The best way to write a form?
Windows Forms Threading and Events - ListBox updates promptly but progressbar experiences huge delay
What is the best way to upload a file via an HTTP POST with a web form?
Delphi MDI Application and the titlebar of the MDI Children
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How Do I Post and then redirect to an external URL from ASP.Net?
Is a "Confirm Email" input good practice when user changes email address?
WinForms ComboBox data binding gotcha
How do I access a remote form in php?