Home/ Questions/Q 7002105
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T20:53:12+00:00

I’m using send_file on a Sinatra app: get ‘/update/dl/:upd’ do filename =/uploads/#{params[:upd]} send_file(filename, :filename

  • 0

I’m using send_file on a Sinatra app:

get '/update/dl/:upd' do

    filename ="/uploads/#{params[:upd]}"
    send_file(filename, :filename => "t.cer", :type => "application/octet-stream")
end

The folder /uploads/ it’s not public, it’s on the app dir. When I try to go to localhost:4567/update/dl/some_file in Chrome it returns me a 404, like with Firefox, when seeing the headers, it’s a 404. But if I try with Safari it downloads the file. So I guess somthing’s wrong with my code (and Safari’s, but let’s left that to Apple :P). What could be wrong? Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I get it to work fine in chrome if I remove the initial slash in filename so it’s “filename instead of “/filename. The 404 comes from a file not found error in send_file

    # foo.rb
require 'sinatra'
get '/update/dl/:upd' do
    filename ="uploads/#{params[:upd]}"
    # just send the file if it's an accepted file
    if filename =~ /^[a-zA-Z0-9]*.cer$/
      send_file(filename, :filename => "t.cer", :type => "application/octet-stream")
    end
end

    However, there’s really a big security hole in this, a user can download anything that the sinatra process has access too, I named my sinatra app foo.rb and this request downloads the sinatra script:

     http://localhost:4567/update/dl/..%2Ffoo.rb
    • 0