Re: Stream pdf to browser

this is technically correct - BUT

never implement it like this!

You are taking an arbitrary filename coming over a querystring and use that to open a file. This is prone to directory traversal attacks.

Before you use the file you should do some input validation

a) check first if the filename is in a list of valid names from your content directory (File/Directory.* APIs)
b) have a mapping between file ids and actual physical files like /download.aspx?id=5

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Rick,

Will it work if you directly access that separate aspx page to display
the pdf document?

Also, you can use Response.End instead of Flush to close the response
stream. Here is the test page code I used which work correctly on my
side. You can also have a test against it:

========================
Partial Class vb_FilePage
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load

RenderFile()

End Sub

Protected Sub RenderFile()

Dim filename As String
filename = Request.QueryString("fn")
Dim buffer As Byte()

buffer = GetPDFBuffer(filename)

Response.ClearHeaders()
Response.ClearContent()
Response.ContentType = "application/pdf"
Response.AddHeader("content-disposition",
"attachment;filename=YourReport.pdf")
Response.End()

End Sub

End Class
===============================
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no
rights.



.