Ruby/Sinatra send_file not working

Question

I'm using send_file on a Sinatra app:

get '/update/dl/:upd' do

    filename ="/uploads/#{params[:upd]}"
    send_file(filename, :filename => "t.cer", :type => "application/octet-stream")
end

The folder /uploads/ it's not public, it's on the app dir. When I try to go to localhost:4567/update/dl/some_file in Chrome it returns me a 404, like with Firefox, when seeing the headers, it's a 404. But if I try with Safari it downloads the file. So I guess somthing's wrong with my code (and Safari's, but let's left that to Apple :P). What could be wrong? Thanks!

Answer 1

I get it to work fine in chrome if I remove the initial slash in filename so it's "filename instead of "/filename. The 404 comes from a file not found error in send_file

# foo.rb
require 'sinatra'
get '/update/dl/:upd' do
    filename ="uploads/#{params[:upd]}"
    # just send the file if it's an accepted file
    if filename =~ /^[a-zA-Z0-9]*.cer$/
      send_file(filename, :filename => "t.cer", :type => "application/octet-stream")
    end
end

However, there's really a big security hole in this, a user can download anything that the sinatra process has access too, I named my sinatra app foo.rb and this request downloads the sinatra script:

 http://localhost:4567/update/dl/..%2Ffoo.rb