Dancer::send_file() gives a "No such file" error if you pass it an
absolute path or one that is not directly relative to $pubdir.
I'm using send_file() to send dynamically generated PDF files to the
client from behind pretty routes. That is, I want '/pdf/foo.pdf' to
generate and send:
/home/me/app/pdfbuild/foo-$user-$yymmdd-$hhmmss.pdf
The generated PDF file has the user name in it so that other users don't
clobber each others' generated PDFs. The file name contains a timestamp
because the data that goes into the PDF changes frequently, so a second
access of the URL needs to re-generate the PDF.
Because of all this dynamic generation, I'm doing the background work in
this pdfbuild directory, because I don't want to expose the intermediate
files.
I've fixed this by putting the intermediate files in pdfbuild and the
final output PDF in .../pdfbuild/../public/pdf but this effectively
exposes all generated PDFs: any user can pull up any other user's
dynamic PDF if they know another user name and can make sensible guesses
about the timestamp. Obviously I could add a nonce to the file name to
make guessing impossible, but that's solving the symptom, rather than
attacking the actual source of the problem.
Why doesn't send_file() just return a binary blob to Dancer, which it
recognizes and inserts literally into the response content body? Why
does it care where on the filesystem that data comes from?
_______________________________________________
dancer-users mailing list
[email protected]
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
