473,322 Members | 1,241 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

access denied to PDF file (when Response.WriteFile)

LP
Hi,

I have a reporting application that exports data to different format and
sends file to the browsers with the following code:

string fileName = @"" + Request.QueryString["filename"];
//fileName = Request.QueryString["filename"];

if (fileName.Length==0)
{
Response.Redirect("default.aspx", true);
return;
}
fileName = Server.MapPath(fileName);
System.IO.FileInfo TargetFile = new System.IO.FileInfo(fileName);

Response.Clear();
Response.AddHeader("Content-Disposition", "attachment; filename=BLT
report");
Response.AddHeader("Content-Length", TargetFile.Length.ToString());

Response.ContentType = "application/octet-stream";

Response.WriteFile(fileName);

// stop the execution of this page
Response.Flush();

Excel format works no problem, but only PDF gives access denied. Do I need
to give special permisions to pdf files?

thank you
Nov 19 '05 #1
2 3009
Hmm, I don't know what's wrong with the PDF, but one comment about your code:
Beware a path injection attack. I could modify your QueryString and pass
something like:

http://YourSite.Com/YourPage.aspx?filename=web.config

And now you've handed me web.config. So you should validate the filename
and don't pass it back if it's not something you want to hand me.

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi,

I have a reporting application that exports data to different format
and sends file to the browsers with the following code:

string fileName = @"" + Request.QueryString["filename"];
//fileName = Request.QueryString["filename"];
if (fileName.Length==0)
{
Response.Redirect("default.aspx", true);
return;
}
fileName = Server.MapPath(fileName);
System.IO.FileInfo TargetFile = new System.IO.FileInfo(fileName);
Response.Clear();
Response.AddHeader("Content-Disposition", "attachment; filename=BLT
report");
Response.AddHeader("Content-Length", TargetFile.Length.ToString());
Response.ContentType = "application/octet-stream";

Response.WriteFile(fileName);

// stop the execution of this page
Response.Flush();
Excel format works no problem, but only PDF gives access denied. Do I
need to give special permisions to pdf files?

thank you


Nov 19 '05 #2
LP
Thanks, Allen,

The work around PDF was opening popup Window with URL to PDF file.

I appreciate your concern, however for now it's an Intranet application, but
certainly something to worry about, I will put file name validation.

"Brock Allen" <ba****@NOSPAMdevelop.com> wrote in message
news:49**********************@msnews.microsoft.com ...
Hmm, I don't know what's wrong with the PDF, but one comment about your code: Beware a path injection attack. I could modify your QueryString and pass
something like:

http://YourSite.Com/YourPage.aspx?filename=web.config

And now you've handed me web.config. So you should validate the filename
and don't pass it back if it's not something you want to hand me.

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi,

I have a reporting application that exports data to different format
and sends file to the browsers with the following code:

string fileName = @"" + Request.QueryString["filename"];
//fileName = Request.QueryString["filename"];
if (fileName.Length==0)
{
Response.Redirect("default.aspx", true);
return;
}
fileName = Server.MapPath(fileName);
System.IO.FileInfo TargetFile = new System.IO.FileInfo(fileName);
Response.Clear();
Response.AddHeader("Content-Disposition", "attachment; filename=BLT
report");
Response.AddHeader("Content-Length", TargetFile.Length.ToString());
Response.ContentType = "application/octet-stream";

Response.WriteFile(fileName);

// stop the execution of this page
Response.Flush();
Excel format works no problem, but only PDF gives access denied. Do I
need to give special permisions to pdf files?

thank you


Nov 19 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: moondaddy | last post by:
Using vb.net I need to download image files to the client browser where they can save to disk. Below is some sample code I'm using. when I run this the File Download window in the browser says: ...
7
by: theyas | last post by:
How can I get my code to NOT display two "Open/Save/Cancel/More Info" dialog boxes when using the "Response.WriteFile" method to download a file to IE I've asked about this before and didn't get a...
0
by: ProJee | last post by:
Hi, Response.WriteFile (or Response.OutputStream.Write) finishes immediately, not after the file is completely downloaded. It finishes before (!) the user clicks the "Save" or "Open" browser...
4
by: david | last post by:
I has a question: I can use Response.WriteFile to display images such as .jpg. But I can not us it to display words doc file in EI by calling Response.WriteFile("testdoc/DownloadLarge.doc"). It...
7
by: Bala | last post by:
Hi All, I am trying to download the file from network machine (under same domain). I am using below link page code to impersonate. http://www.netomatix.com/ImpersonateUser.aspx I can able...
3
by: David Thielen | last post by:
Hi; I created a virtual directory in IIS 6.0 and my asp.net app runs fine. But when it tries to write a file I get: Access to the path is denied. - C:\Inetpub\wwwroot\RunReportASP\images ...
4
by: Jonny | last post by:
Hello Group How do I open a Save File Dialog from an ASPX page behind a browse button? Any help would be fantastic!! I am using ASP.NET 1.1 using VB.NET as the coding language TIA
7
by: Ibrahim. | last post by:
Hello, How can I access a Shared Folder of the Server by using the following control. 1. I need to download files from c:\resumes folde by using the following; <asp:HyperLink...
5
by: rn5a | last post by:
I have a ASPX page which has a ListBox & a Button. The ListBox lists all the files & directories existing in a directory on the server. I want to give users the option to download files from the...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.