Done everything I could with the code to fix it but Veracode still gives error for the following code:
Byte[] bytes = (Byte[])dt.Rows[i]["Content"];
Response.Buffer = true;
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.ContentType = StringEncode(HttpUtility.HtmlEncode(dt.Rows[i]["Extension"].ToString()));
Response.AddHeader("content-disposition", "attachment;filename=" + StringEncode(HttpUtility.HtmlEncode(dt.Rows[0]["FileName"].ToString())));
Response.BinaryWrite(bytes);
Response.Flush();
Response.End();
It points to the line with Response.BinaryWrite(bytes);
What should be done?
Any suggestions?
I think you can safely mark this as a false positive when your users are using modern browsers.
Setting content disposition to download the response as an attachment should prevent any scripting from being executed in the browser. It appears that Veracode has not picked up the fact that you are doing this.
Note that old browsers like IE 6/7 will ignore the the content-disposition header if they already have the response cached. You could possibly detect the cases when these browsers are used and prevent the content from loading in these browsers.
Related
I inherited an .net application that allows users to download a pdf. Now, I am able to download the pdf file when I run locally but when I deploy to IIS server I run into problems. The download works on Firefox but doesnt work on Chrome, and sometimes on IE. The fact that I can download it on my local development environment tells that it could be something with IIS configuration or maybe my code. The pdf is stored in ms sql server 2012 table as varbinary. I provided some code below that is used to read the data. Please let me know if there are other information you all need. Also, I checked the iis logs and I am getting 200 status codes for everything. Nothing stands out in there.
if(Session["DetailID"] != null)
{
//get the file
DataTable dt = sp_Attachment_Download(lblAttachmentIDD.Text);
DataRow row = dt.Rows[0];
string name = (string)row["AFileName"];
string contentType = (string)row["AFileType"];
Byte[] data = (Byte[])row["AFile"];
/// Send the file to the browser
Response.AddHeader("Content-type", contentType);
Response.AddHeader("Content-Disposition", "attachment; filename=" + name);
Response.BinaryWrite(data);
Response.Flush();
Response.Close();
}
EDITED----------
I am using the developer tools for IE and Chrome and found something interesting. Chrome gives me the following error when I click on the link:
interpreted as Document but transferred with MIME type application/pdf:
IE doesnt give an error but something caught my attention. I my REQUEST header, ACCEPT does not contain application/pdf and the RESPONSE Content-Type has application/pdf. Could this be something? How can I set the ACCEPT to include application/pdf in aspx page?
I had kinda similar issue when downloading pdf from chrome as in my case filename had a comma in it and that chrome apparently didn't like it, so I removed comma from filename and it worked.
PS: Please try not to use Response.Close(). It aborts the thread and throws exception.
Response.Clear();
Response.ContentType = "application/pdf";
Response.AddHeader("content-disposition", "attachment; filename=" + fileName.Replace(",",,");
Response.CacheControl = "No-cache";
Response.Write(data);
Response.Flush();
Response.SuppressContent = true;
HttpContext.Current.ApplicationInstance.CompleteRequest();
Maybe this will help, here's my code to do the same thing. One thing that I noticed is that you're not specifying the file length, which I believe is required. Please note that pFileData is class that contains FileName, a string, and FileData, a byte[].
System.Web.HttpResponse Response = System.Web.HttpContext.Current.Response;
Response.Clear();
Response.ClearHeaders();
Response.ContentType = "application/pdf";
Response.AddHeader("Content-Disposition", "attachment;filename=" + pFileData.FileName);
Response.AddHeader("Content-Length", pFileData.FileData.Length.ToString());
Response.BufferOutput = false;
Response.BinaryWrite(pFileData.FileData);
Response.Flush();
Response.SuppressContent = true;
HttpContext.Current.ApplicationInstance.CompleteRequest();
Response.End();
I tried to get a pdf file opened in chrome but it seems to be stuck in the middle of somewhere during displaying process. The code seems to work because it can get PDF opened in IE, not sure why it got stuck in chrome. The screen will just grey out, show the "LOADING" sign, and stop at 7/8. The file is around 6MB or more.
public static void ReturnPDF(byte[] contents)
{
var response = HttpContext.Current.Response;
response.Clear();
response.AppendHeader("Content-Disposition", "inline;filename=" + "abc.pdf");
response.BufferOutput = true;
response.ContentType = System.Net.Mime.MediaTypeNames.Application.Pdf;
response.BinaryWrite(contents);
response.Flush();
response.Close();
response.End();
}
Any thoughts? Thanks
[UPDATE]
I tried firefox with version 30.0 and it WORKS. My IE is 8.0.7601.17514, which can also open pdf. My Chrome is 39.0.2171.95. Not sure wheather the version of the browser matters or not, here only chrome fails to open the inline PDF...
[SOLVED]
After adding content-length, chrome can open the inline PDF.
public static void ReturnPDF(byte[] contents)
{
var response = HttpContext.Current.Response;
response.Clear();
response.AppendHeader("Content-Disposition", "inline;filename=" + "abc.pdf");
//After adding Content-Length, chrome is able to open PDF inline
response.AppendHeader("Content-Length", contents.Length.ToString());
response.BufferOutput = true;
response.ContentType = System.Net.Mime.MediaTypeNames.Application.Pdf;
response.BinaryWrite(contents);
response.Flush();
response.Close();
response.End();
}
The OP's original code created the response like this:
response.Clear();
response.AppendHeader("Content-Disposition", "inline;filename=" + "abc.pdf");
response.BufferOutput = true;
response.ContentType = System.Net.Mime.MediaTypeNames.Application.Pdf;
response.BinaryWrite(contents);
response.End();
This code especially does not set the Content-Length header. Some web browser versions (not only Chrome but also certain versions of other browsers) without that header tend to prematurely consider the download finished.
Detecting when a download is finished on a connection initially created as persistent, may not be trivial if neither a non-identity Transfer-Encoding nor a Content-Length has been supplied.
Thus, the solution here is to add
response.AppendHeader("Content-Length", contents.Length.ToString());
before writing the contents.
Try with "Content-disposition: attachment" header.
Thanks mkl's suggestions.
I added the content length in the header and the pdf can be successfully opened in Chrome!
I have a byte array in the database and i need to show that in a pdf file format. Here is the way i did that. However, this doesn't work on Android tablets(checked in 2.3.5 and 3.2).
Response.Clear();
Response.ContentType = "application/octet-stream";
Response.BufferOutput = true;
Response.Buffer = false;
Response.AddHeader("Content-Length", binaryData.Length.ToString());
Response.AppendHeader("Content-Disposition", "inline;filename=ClientDocument.PDF");
// Response.BinaryWrite(binaryData);
Response.OutputStream.Write(binaryData, 0, binaryData.Length);
Response.End();
Can you guys think of any way i could make it work on all the browsers?
Appreciate the help
Thanks
Couple of things...
Change the content type to correct mime-type of PDF files. There are vast array of these in use application/pdf, application/x-pdf, application/acrobat, applications/vnd.pdf, text/pdf, text/x-pdf", we just use application/pdf.
Response.ContentType = "application/pdf";
Then if you want the browser to open and display the PDF file, remove the Content-Disposition header.
... or ... if you want the browser to download the PDF file change the Content-Disposition type to "attachment" rather than "inline".
Response.AppendHeader("Content-Disposition", "attachment;filename=ClientDocument.PDF");
Have you upgraded to latest version of Android on the test tablets/phones?
That fixed it for me when I had a similar problem (PDFs not opening or downloading when sent to browser from stream or byte[] on Android only).
I am trying to open a PDF document to display within IE6. I am using the following snippet:
response.ContentType = healthMedia.MediaKey.MimeType;
response.ClearHeaders();
response.AddHeader("Content-Disposition", "inline; filename=" + mediaKeyId);
int contentLength = healthMedia.Content.Length;
response.AppendHeader("content-length", Convert.ToString(contentLength));
response.OutputStream.Write(healthMedia.Content, 0, contentLength);
healthMedia.MediaKey.MimeType; is equal to 'application/pdf'
This brings up the Save dialog. If I comment out Response.ClearHeaders(); I get a new window to popup but it's contents is a bunch of jibberish (random encoding text).
How can I get IE6 to open the PDF correctly?
-Nick
Have you tried Response.End() and also Response.Buffer = true? You may also need to set a caching policy.
In case it helps, here's a method I've used before to render in-browser PDFs...
Use response.BinaryWrite() instead of response.OutputStream.Write()
I'm facing a very strange problem in my ASP.NET Application.
When the user clicks the button that downloads a file, Internet Explorer / Chrome / Firefox shows the save dialog but the name of the file is the name of the ASPX Page (For example, if the page is named Download.aspx the download dialog shows the "file" Download.zip). Sometimes, when playing with MIME type the download dialog shows "Download.aspx". Seems that you're trying to download the page, but actually is the correct file.
This happens with ZIP extension and here is my code (pretty standard I think):
this.Response.Clear();
this.Response.ClearHeaders();
this.Response.ClearContent();
this.Response.AddHeader("Content–Disposition", "attachment; filename=" + file.Name);
this.Response.AddHeader("Content-Length", file.Length.ToString());
this.Response.ContentType = GETCONTENTYPE(System.IO.Path.GetExtension(file.Name));
this.Response.TransmitFile(file.FullName);
this.Response.End();
The GetContentType function just returns the MIME for the file. I tried with application/x-zip-compressed, multipart/x-zip and of course application/zip. With application/zip Internet Explorer 8 shows XML error.
Any help with be very appreciated.
Greetings,
I'm looking at what I've done to handle a similar mechanism, and here's the steps I'm doing (bold item seemingly the only real difference):
Response.Clear();
Response.AddHeader("content-disposition", string.Format("attachment; filename={0}", fileName));
Response.ContentType = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"; // Excel 2007 format
// ... doing work...
Response.AddHeader("Content-Length", outputFileInfo.Length.ToString());
Response.TransmitFile(outputFileInfo.ToString());
HttpContext.Current.Response.End(); // <--This seems to be the only major difference
Although this.Response and HttpContext.Current.Response should be the same, it may not be for some reason.
I think something like Response.Redirect(ResolveUrl(file.FullName)) instead of Response.TransmitFile(file.FullName) is what you intended. It sounds like you actually want their browser to point at the file, not just transmit the file as a response to the current the request.
Edit: Also see this SO question How to retrieve and download server files (File.Exists and URL)
Update: Based on your feedback, i think this is what you're looking for.
For Excel export
Response.AddHeader("content-disposition", string.Format("attachment; filename={0}.xls", fileName));
It worked for me with IE and Firefox.