20

I can't seem to find a simple and clear answer to this problem anywhere! Everything seems either outdated or incomplete!

I just want the user to be able to click on a link or button and download a file (that is somewhere in the public folder)

I tried this:

#view
<%= link_to "Raw blast output" ,:action => :download, :file_name => "public/data/02_blastout/#{@bl_file}" %>
#controller
def download
    send_file "#{RAILS_ROOT}/#{params[:file_name]}"
end

but I get this error:

No route matches {:action=>"download", :file_name=>"public/data/02_blastout/input0.fa_x_Glyma1aaunq.bl", :controller=>"cvits"}

Thanks for the help!!

Improve this question
8
  • may be this ap.rubyonrails.org/classes/ActionController/Streaming.html ? Commented Jun 17, 2011 at 21:28
  • 1
    This seems like a terribly unsafe way to handle this, especially considering you can just link directly to the file. Commented Jun 17, 2011 at 21:29
  • @Andrew - use what? I am already using the send_file method. Commented Jun 17, 2011 at 21:29
  • 2
    Someone could edit your link like this: ?file_name=config/database.yml Commented Jun 17, 2011 at 21:31
  • 1
    send_file should never be given a path set by a param, this opens up a major security hole that malicious users will exploit. Commented Jun 17, 2011 at 21:36

1 Answer 1

Reset to default
40

Don't use send_file with a parameter set by a user. This opens up a massive security hole, allowing a user to access any file that is readable by your application (namely, your entire application, but also possibly other files on the filesystem).

Rather, if the file is under public, link to the file itself. In your case:

<%= link_to "Raw blast output", "/data/02_blastout/#{@bl_file}" %>

No need for a special controller action.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Won't the download lockup the rails process? Shouldn't the download instead be handled by the http server (apache, etc.) as in: therailsway.com/2009/2/22/file-downloads-done-right
If you set up apache or another server, it should handle that. This is just the code for the link.
What if it is not a public file?, and it's only for registered user's?
Mario makes a good point. But one could check if the file is within a specific directory that is expected to be a directory for downloadable content, or if the file is registered in a table of downloadable files. No?
web.archive.org/web/20160201222918/http://www.therailsway.com/… archived link mentioned by @JoshM.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.