Comments on: Rails 2.3.4 and SWFUpload – Rack Middleware for Flash Uploads that Degrade Gracefully

By: Jan Foeh

Jan Foeh — Tue, 15 Jun 2010 22:46:07 +0000

For anyone having the same problem David had, here’s what I did: being sleep deprived and unable to come up with an elegant solution, I resorted to an ugly hack in application_controller.rb.

before_filter :fix_missing_session, nly => :edit

private

def fix_missing_session
if request.get? && cookies[ActionController::Base.session_options[:key]].blank?
session[:the_answer] = 42
redirect_to request.headers["REQUEST_URI"] and return
end
end

Whenever one of the edit pages with SWFupload in them is loaded without the session cookie being set, I set the session and reload the page. A better solution would probably be to encode a session string manually, or to calculate a new csrf token matching the empty session…

By: File uploads in Ruby on Rails | Space Babies

File uploads in Ruby on Rails | Space Babies — Sat, 20 Feb 2010 11:04:48 +0000

[...] That’s just sad, people. It makes Jesus cry and all that stuff. Luckily here is a good post explaining the procedure. Yes, we need to write a custom piece of middleware because Flash is [...]

By: David North

David North — Mon, 01 Feb 2010 12:39:04 +0000

I think this is due to the session data I’m sending being out of date. Although I’m initializing the session by writing a value to it on the request that displays my upload form, the contents of cookies[session_key] reflect what was loaded from the cookies, its not until the next request that this value is correct (including the csrf token). Somehow I need to get a value for the session data that reflects the current state of the session so it’ll match with the authenticity token in the upload request.

By: David North

David North — Mon, 01 Feb 2010 12:34:14 +0000

I can see from the logs that the token is correct, otherwise it wouldn’t work on subsequent requests. Same goes for the session data.
On the first request, my session doesn’t contain the key “_csrf_token”, that seems to be responsible for the session mis-match that results in the IAT error.

When I write something to the session, on the next request I can see that _csrf_token exists and the session data is longer. Then the upload will work.

By: Mark Duncan

Mark Duncan — Wed, 27 Jan 2010 15:05:57 +0000

Sorry, stripped out the tags there — i’ll give it another go

‘scriptData’ : { ‘<%= get_session_key %>’ : ‘<%= u cookies[get_session_key] %>’, ‘authenticity_token’ : ‘<%= u form_authenticity_token if protect_against_forgery? %>’ },

By: Mark Duncan

Mark Duncan — Wed, 27 Jan 2010 15:04:25 +0000

How are you passing the authenticity token to javascript. I was having an issue with intermittent IAT errors that were caused by the token having a space in it that was getting decoded as %20.

This did the trick for me, don’t know if it’s related to your issue but worth a try.

‘scriptData’ : { ” : ”, ‘authenticity_token’ : ” },

By: David North

David North — Tue, 26 Jan 2010 13:54:24 +0000

I’ve got all this working great except I always get InvalidAuthenticityToken on the first attempt with a fresh browser session.

In the log, I can see that I’m getting the authenticity token correctly in the params.
The middleware is loaded before CookieStore and with some debug code I can see that it is adding the session data to HTTP_COOKIE e.g.

“_myapp_session=BAh7BjoPc2Vzc2lvbl9pZCIlNDg1ZTExMzY5MGY0ZmQxYmU4MzMwNmFhNTcwNjc1ZmU=–71c3a1f402926876eab548d22bcfd03cd159162e”

I noticed this seems to be related to the session state, if some value has been written to the session in a request previous to the one that renders my upload interface it will work. However many pages are viewed before the upload form it won’t work unless some value has been written to the session.

Any thoughts?

By: Mark Duncan

Mark Duncan — Fri, 22 Jan 2010 10:16:33 +0000

Finally found the root cause to the above problem, on windows the HTTP_ACCEPT is sent as text/* instead of */*. This can be fixed in the middleware.

def call(env)
if env['HTTP_USER_AGENT'] =~ /^(Adobe|Shockwave) Flash/
params = ::Rack::Request.new(env).params
env['HTTP_COOKIE'] = [ @session_key, params[@session_key] ].join(‘=’).freeze unless params[@session_key].nil?
env['HTTP_ACCEPT'] = ‘*/*’
end
@app.call(env)
end

By: Mark Duncan

Mark Duncan — Wed, 20 Jan 2010 14:41:22 +0000

I managed to fix the error above with a nasty hack. When an upload is done the Mongrel..1-0 file is created first and then the RackMultipart…zvp-0 is created. The Mp3info line was happening before the RackMulti file was finished writing. I’ve replaced the create action with

def create
require ‘mp3info’
@timer = Time.now
begin
mp3_info = Mp3Info.new(params[:Filedata].path)

logger.info(“GOT MP3 INFO”)
song = Song.new
song.artist = mp3_info.tag.artist
song.title = mp3_info.tag.title
song.length_in_seconds = mp3_info.length.to_i

params[:Filedata].content_type = MIME::Types.type_for(params[:Filedata].original_filename).to_s
song.track = params[:Filedata]
logger.info(“GOT HERE”);
song.save

render :text => [song.artist, song.title, song.convert_seconds_to_time].join(” – “)
rescue Mp3InfoError => e
if @timer + 2.minutes “File error: “+e.message
else
retry
end
rescue Exception => e
render :text => e.message
end
end

it’s nasty but it does the job for now.

By: Mark Duncan

Mark Duncan — Wed, 20 Jan 2010 11:47:26 +0000

Hi,

I’m having the same File Error message Axel mentions above, i’ve dug into it a bit and it’s an empty file error. I’ve dumped the post-params and the filedata holds : Filedata”=># when i watch that temp directory i’m seeing two files created when i try to upload. RackMultipart20100120-4108-5olzvp-0 which is 0kb and a file named mongrel20100120-4108-16qghk1-0 which is 1kb bigger than the mp3 i’m uploading, when i inspect it in a hex editor i can see the params are listed at the start. Anyone have any ideas what is happening?