[ic] Restricting access to PDFs
John Young
john_young at sonic.net
Tue Aug 1 12:55:20 EDT 2006
Brian J. Miller wrote:
> Additionally you can use an actionmap combined with the [deliver] tag to
> provide any file accessible on the local filesystem with whatever
> privilege system you would like.
>
> The [deliver] tag provides base functionality for sending the proper
> Content-Type header and the raw file as is.
>
> Example
>
> In page:
>
> [page area="download/myfile.zip"]My file (zipped)</a>
>
> In catalog.cfg:
>
> ActionMap download <<EOR
> sub {
> my @path = grep /\S/, split m:/+:, $_[0];
> my $spec = join('/', 'pages', @path[1..$#path]);
> Log("Calling 'deliver' with $spec");
> my $result = $Tag->deliver({ file => $spec });
> Log(sprintf('Returned %s', defined($result) ? $result : '(undef)'));
> return 1;
> }
> EOR
>
> Then within the 'download' actionmap you can add any privilege checking
> you wish before providing the file itself. We use this method on at
> least one client site for handling soft goods.
>
> HTH,
>
> Brian J. Miller
> End Point Corp.
Would the actionmap above allow directory traversal -- i.e.
should it perhaps include something like s/\.\.//g?
-John Young
More information about the interchange-users
mailing list