CODEWITHSUNDEEP
ruby-on-railsforms
Tony
Tony

Reputation: 19126

file_field is not sticky in my Rails form

I have a pretty standard Rails form:

<div>
    <h1>Create a New Listing</h1>
    <%- form_for @listing, :html => {:multipart => true} do |f| -%>
                    <div><%= f.label :title, "Title:"%> <%= f.text_field :title %></div>
            <div>
                <%= f.label :image, "Image:" %> <%= f.file_field :image 
            </div>
            <div>
                <%= f.label :sound, "Sound Clip:"%> <%= f.file_field :sound %><br />
            </div>
        <div class="submit"><%= f.submit 'Post Listing' %></div>
    <%- end -%>
</div>

When a user chooses a file, but the form fails for validation purposes, he must always re-select the file. It is not sticky. Any suggestion on how to fix this?

Thanks!

Upvotes: 2

Views: 1432

Answers (1)

Amadan
Amadan

Reputation: 198294

You can't make the file field sticky, I think. Even if Rails provides the initial value, most browsers will just ignore it (or otherwise, some smart-aleck could set the default file to /etc/passwd, and if you don't pay attention, next thing you know your box is rooted.

The best you can do that I can think of is set a flag that says a file has already been uploaded, so if the user does not select another one, use the one already sent in the last request.

UPDATE: You'd be surprised how many people have no security skills whatsoever. I've known people to use a browser as root. However, "why" is not exactly an issue - the important point I was trying to make is just that it's not Rails's fault, the problem most likely lies in the browser behaviour.

You can read an article that says it better than I can...

UPDATE 2: "Your box is rooted" should say "the user's box is rooted". The scenario I describe is this: User submits a file innocent.txt and a CAPTCHA. Malicious server responds CAPTCHA is wrong, enter it again, and covertly changes the file from innocent.txt to ~/.ssh/id_rsa. User does not look at the file field (he already put in the correct value there), so just redoes the CAPTCHA and pushes submit. Now the server has the user's private SSH key.

Upvotes: 5

Related Questions