Amazon S3 direct upload not recognizing file's content type

Question

I have my Rails application set up where each user can upload an avatar. The image is uploaded directly to Amazon's S3 using HTTP Post. So far everything is working except that the user is able to upload any type of file.

I'm using a fork of the d2s3 plugin by camelpunch. Here are the helpers:

  policy = Base64.encode64(
    "{'expiration': '#{expiration_date}',
      'conditions': [
        {'bucket': '#{bucket}'},
        ['starts-with', '$key', '#{key}'],
        {'acl': '#{acl}'},
        {'success_action_redirect': '#{redirect}'},
        ['starts-with', '$Content-Type', '#{content_type}'],
        ['content-length-range', #{min_filesize}, #{max_filesize}]
      ]
    }").gsub(/\n|\r/, '')

    signature = b64_hmac_sha1(D2S3::S3Config.secret_access_key, policy)
    out = ""
    out << %(
      <form action="https://#{bucket}.s3.amazonaws.com/" method="post" enctype="multipart/form-data" id="#{options[:form][:id]}" class="#{options[:form][:class]}">
      <div>
      <input type="hidden" name="key" value="#{key}/${filename}" />
      <input type="hidden" name="AWSAccessKeyId" value="#{access_key_id}" />
      <input type="hidden" name="acl" value="#{acl}" />
      <input type="hidden" name="success_action_redirect" value="#{redirect}" />
      <input type="hidden" name="policy" value="#{policy}" />
      <input type="hidden" name="signature" value="#{signature}" />
      <input type="hidden" name="Content-Type" value="#{content_type}" />
      <input name="file" type="file" />#{submit_button}
      </div>
      </form>
    )

I have my content type set to 'image/jpeg' but Amazon seems to ignore that. In the docs, it says to set it up just like this. Am I doing something wrong?

Also, when a file that's larger than the set max filesize is uploaded, the application just stalls. S3 doesn't reply with an xml error message. Can this be fixed?

Thanks!

Tim

Answer 1

Amazon is unable to determine the actual content-type of the file because that would require analyzing the binary data.

Amazon serves files with the content type claimed on upload, so the policy only restricts users from uploading files that will be served with a disallowed content-type. For instance, no one can hack your form and have something served as 'application/pdf'. They can however upload a PDF file claiming it is an 'image/jpeg', which file will be served to consumers as a jpeg, resulting in a broken image.

Answer 2

使用AWS :: S3 gem http://amazon.rubyforge.org/或RightScale的RightAWS gem https://github.com/rightscale/right_aws会更容易吗？