[Catalyst] Re: Catalyst::Response - send a file

[Aristotle Pagaltzis]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-19 21:55]:
> $c->response->headers->header('Content-disposition:' => "attachment; 
> filename=$filename" );

You forgot

$filename =~ s!"!\\"!g;

Regards,
-- 
Aristotle Pagaltzis // 

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

[Catalyst] Re: Catalyst::Response - send a file

[Aristotle Pagaltzis]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-20 17:55]:
> Aristotle Pagaltzis <[EMAIL PROTECTED]> wrote on 08/19/2008 04:39:55 PM:
> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-19 21:55]:
> > > $c->response->headers->header('Content-disposition:' => "attachment; 
> > > filename=$filename" );
> >
> > You forgot
> >
> > $filename =~ s!"!\\"!g;
> 
> Yes, I usually sanitize and escape outside of that block --
> good catch.

I prefer to do this kind of encode/decode stuff at the boundaries
of the code. It is hard to keep track of how the data is encoded
and who is responsible for what kind of transformation at what
time when you don’t do it that way. The particular case of these
filenames is probably not too difficult because you probably
aren’t going to be doing a whole lot with them anyway, but still,
I prefer to push encoding and decoding to the boundaries as a
general principle so I can never forget to take it into account
in the middle of the system.

PS.: I missed the fact that that should of course also be
accompanied by always quoting the filename (which presumably in
your own code is also happening elsewhere):

$filename =~ s!"!\\"!g;
$c->res->header( 'Content-Disposition' => qq[attachment; 
filename="$filename"] );

Regards,
-- 
Aristotle Pagaltzis // 

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

[Catalyst] Re: Catalyst::Response - send a file

[Aristotle Pagaltzis]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-21 22:45]:
> I have not quoted the filename.  I have to look at the rfc
> further, but all my testing has shown it to work without the
> quotes...

You don’t *have* to quote the filename. If there are no quotes
and no blanks in it, it’ll definitely work just fine. But in my
reading of the spec, escaping requires quotes. Since I may have
to quote it sometimes, it’s easier to just quote it always.

Regards,
-- 
Aristotle Pagaltzis // 

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Re: Catalyst::Response - send a file

[Wade . Stuart]

Aristotle Pagaltzis <[EMAIL PROTECTED]> wrote on 08/19/2008 04:39:55 PM:

> * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-19 21:55]:
> > $c->response->headers->header('Content-disposition:' =>
> "attachment; filename=$filename" );
>
> You forgot
>
> $filename =~ s!"!\\"!g;

Yes,  I usually sanitize and escape outside of that block -- good catch.

>
> Regards,
> --
> Aristotle Pagaltzis // 
>
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Re: Catalyst::Response - send a file

[Wade . Stuart]

Aristotle Pagaltzis <[EMAIL PROTECTED]> wrote on 08/20/2008 04:12:18 PM:

> * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-20 17:55]:
> > Aristotle Pagaltzis <[EMAIL PROTECTED]> wrote on 08/19/2008 04:39:55 PM:
> > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-19 21:55]:
> > > > $c->response->headers->header('Content-disposition:' =>
> "attachment; filename=$filename" );
> > >
> > > You forgot
> > >
> > > $filename =~ s!"!\\"!g;
> >
> > Yes, I usually sanitize and escape outside of that block --
> > good catch.
>
> I prefer to do this kind of encode/decode stuff at the boundaries
> of the code. It is hard to keep track of how the data is encoded
> and who is responsible for what kind of transformation at what
> time when you don?t do it that way. The particular case of these
> filenames is probably not too difficult because you probably
> aren?t going to be doing a whole lot with them anyway, but still,
> I prefer to push encoding and decoding to the boundaries as a
> general principle so I can never forget to take it into account
> in the middle of the system.

I should have been more concise,  I mean outside of that block of lines
(not elsewhere in the app logic).  I just copied the bunch o header setting
lines I used from my send file code...

>
> PS.: I missed the fact that that should of course also be
> accompanied by always quoting the filename (which presumably in
> your own code is also happening elsewhere):
>
> $filename =~ s!"!\\"!g;
> $c->res->header( 'Content-Disposition' => qq[attachment;
> filename="$filename"] );
>

no,  I have not quoted the filename.  I have to look at the rfc further,
but all my testing has shown it to work without the quotes...



> Regards,
> --
> Aristotle Pagaltzis // 
>
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/