[Catalyst] Re: Catalyst::Response - send a file

Aristotle Pagaltzis pagaltzis at gmx.de
Wed Aug 20 22:12:18 BST 2008

* Wade.Stuart at fallon.com <Wade.Stuart at fallon.com> [2008-08-20 17:55]:
> Aristotle Pagaltzis <pagaltzis at gmx.de> wrote on 08/19/2008 04:39:55 PM:
> > * Wade.Stuart at fallon.com <Wade.Stuart at fallon.com> [2008-08-19 21:55]:
> > > $c->response->headers->header('Content-disposition:' => "attachment; filename=$filename" );
> >
> > You forgot
> >
> >     $filename =~ s!"!\\"!g;
> Yes, I usually sanitize and escape outside of that block --
> good catch.

I prefer to do this kind of encode/decode stuff at the boundaries
of the code. It is hard to keep track of how the data is encoded
and who is responsible for what kind of transformation at what
time when you don’t do it that way. The particular case of these
filenames is probably not too difficult because you probably
aren’t going to be doing a whole lot with them anyway, but still,
I prefer to push encoding and decoding to the boundaries as a
general principle so I can never forget to take it into account
in the middle of the system.

PS.: I missed the fact that that should of course also be
accompanied by always quoting the filename (which presumably in
your own code is also happening elsewhere):

    $filename =~ s!"!\\"!g;
    $c->res->header( 'Content-Disposition' => qq[attachment; filename="$filename"] );

Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list