Media display problem

[markster]

Bruce, there's an error in the Media display.

Compile and run Example47 (Media). Select any of the included pdf files, ie appendixB.pdf and click on Change. The pdf file displays. The URL displays as appendixB.pdf.

Now edit the URL and append the full path of the containing folder, ie C:\Users\Public\Documents\SoftVelocity\Clarion9\Accessory\Capesoft\NetTalk\Web Server\Media (74)\web\appendixB.pdf. The file will no longer display. It seems as though entering the filename/extension ONLY and placing it anywhere in or below the web folder will allow it to display, but adding the path to it results in NO display, even if its exactly the same file.

Thanks,

Mark

[kevin plummer]

Mark it's not a bug - it's designed that way for security reasons otherwise any old user could read any file on your computer. I do recall however in one of the examples that it could be changed to read a file above the web folder with a big warning from Bruce. Bill had posted a nice technique he uses that is secure and allows files to be served up from outside the web folder without disclosing the file path and location using the _sendfile embed in the webhandler.

[Bruce]

Hi Mark,

yes indeed, as Kevin says that's an extremely important security restriction - only files inside the web folder, or below, can be served from the server. Otherwise I'd be able to do something like
www.capesoft.com\..\..\..\windows\password.txt
and get whatever I like from your server.

In example 40 (File Download) I show how you can create a NetWebPage which acts as a "generic" provider of files outside the web folder. The procedure is "ServeDocument" as I recall.
However you are responsible to parse the incoming filename to ensure it is a file you actually want to serve.

Remember you can't "trust" the client, they could ask for anything....

cheers
Bruce

[markster]

All good points. However I think my use is a bit different. In my app, a user can attach a PDF or a JPG to an "invoice" for display purposes only. The uploaded file is stored in a BLOB and then is only restored to an actual file for viewing if and when the invoice is open for display to the originator or recipient. I have no problem restoring the file under the web folder. I just want to be able to give restored files a unique path under the web folder, ie .\web\customer99\somefile.pdf. Otherwise there is a chance that different users might simultaneously try to view what should be different files, but had the same name and so were restored with one overwriting another.

The only alternative that strikes me right now would be to restore each file to a temporary GUI name that would be inherently unique.

Mark

[kevin plummer]

creating folders with the same name as a the sessionid may also help you. Just remember to add some clean up code before the session is deleted.

[Bruce]

When the blob is restored to. File, give it a completely random name, (using stringtheory random function) starting with $$$. That way the file names won't clash, and the file will automatically be deleted after 1 serving.

Or better yet serve the file straight out of the blob, and never write it to disk. There's an example that shows doing that - from memory it's also example 40.

Cheers
Bruce

[markster]

I've modified my program to create a temporary file name, but will look into Bruce's idea of serving right from the blob. FYI, upon further research, the file to be displayed MUST be in the web folder. The other sub-web folder locations I tried were working only because of prior browser caching of the file. Once I cleared the browser history, only the web folder would work.

Mark

[markster]

Bruce, I've now got my programming all set up to try to serve the file directly from the blob, but I can't figure out how to make it display on my webform. For example, the blob is in a file called Attachment. The Media field being displayed has the URL designated as LOC:Media. I create a file from the blob in the web folder to display and then assign the name of that file to LOC:Media and it displays:

LOC:Media = 'somefile.png'
LOC:FileName = '.\web\'&LOC:Media
ST.FromBlob(ATT:Blob)
ST.SaveFile(LOC:FileName)
 
However if no physical file is created because I'm trying to display directly from contents of the ST object, I'm not clear on how to code it.

Thanks,

Mark

[Bruce]

Maybe an example would be helpful Mark.

cheers
Bruce

[markster]

I think we have a misunderstanding. In a prior message on this thread, you wrote "Or better yet serve the file straight out of the blob, and never write it to disk. There's an example that shows doing that - from memory it's also example 40."

But I cannot find anything in example 40 about serving a file straight from a blob. That's what I need the help on...

Thanks,

Mark

[Bruce]

example code is in WebHandler procedure, _SendFile method.

it shows "sending the file from a blob" rather than "sending it from disk".

Cheers
Bruce