access denied to PDF file (when Response.WriteFile)

L

LP

Hi,

I have a reporting application that exports data to different format and
sends file to the browsers with the following code:

string fileName = @"" + Request.QueryString["filename"];
//fileName = Request.QueryString["filename"];

if (fileName.Length==0)
{
Response.Redirect("default.aspx", true);
return;
}
fileName = Server.MapPath(fileName);
System.IO.FileInfo TargetFile = new System.IO.FileInfo(fileName);

Response.Clear();
Response.AddHeader("Content-Disposition", "attachment; filename=BLT
report");
Response.AddHeader("Content-Length", TargetFile.Length.ToString());

Response.ContentType = "application/octet-stream";

Response.WriteFile(fileName);

// stop the execution of this page
Response.Flush();

Excel format works no problem, but only PDF gives access denied. Do I need
to give special permisions to pdf files?

thank you
 
B

Brock Allen

Hmm, I don't know what's wrong with the PDF, but one comment about your code:
Beware a path injection attack. I could modify your QueryString and pass
something like:

http://YourSite.Com/YourPage.aspx?filename=web.config

And now you've handed me web.config. So you should validate the filename
and don't pass it back if it's not something you want to hand me.
 
L

LP

Thanks, Allen,

The work around PDF was opening popup Window with URL to PDF file.

I appreciate your concern, however for now it's an Intranet application, but
certainly something to worry about, I will put file name validation.

Brock Allen said:
Hmm, I don't know what's wrong with the PDF, but one comment about your code:
Beware a path injection attack. I could modify your QueryString and pass
something like:

http://YourSite.Com/YourPage.aspx?filename=web.config

And now you've handed me web.config. So you should validate the filename
and don't pass it back if it's not something you want to hand me.




Hi,

I have a reporting application that exports data to different format
and sends file to the browsers with the following code:

string fileName = @"" + Request.QueryString["filename"];
//fileName = Request.QueryString["filename"];
if (fileName.Length==0)
{
Response.Redirect("default.aspx", true);
return;
}
fileName = Server.MapPath(fileName);
System.IO.FileInfo TargetFile = new System.IO.FileInfo(fileName);
Response.Clear();
Response.AddHeader("Content-Disposition", "attachment; filename=BLT
report");
Response.AddHeader("Content-Length", TargetFile.Length.ToString());
Response.ContentType = "application/octet-stream";

Response.WriteFile(fileName);

// stop the execution of this page
Response.Flush();
Excel format works no problem, but only PDF gives access denied. Do I
need to give special permisions to pdf files?

thank you
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Response.Writefile problems on 2003 server 1
Response.WriteFile 1
Streaming PDF to IE 6.0 browser 3
q; access to a remote file 7
export to PDF problem 2
Do you want to save or open this file? 4
Help with Response.WriteFile/TransmitFile 3
Returning to Default.aspx after downloading file. 2

Members online

No members online now.
Total: 36 (members: 0, guests: 36)
Robots: 388

Forum statistics

Threads
473,770
Messages
2,569,584
Members
45,075
Latest member
MakersCBDBloodSupport

Latest Threads

Top