[dancer-users] Why does send_file() require a path relative to pubdir?

Warren Young warren at etr-usa.com
Mon Mar 24 13:55:45 GMT 2014

Dancer::send_file() gives a "No such file" error if you pass it an 
absolute path or one that is not directly relative to $pubdir.

I'm using send_file() to send dynamically generated PDF files to the 
client from behind pretty routes.  That is, I want '/pdf/foo.pdf' to 
generate and send:


The generated PDF file has the user name in it so that other users don't 
clobber each others' generated PDFs.  The file name contains a timestamp 
because the data that goes into the PDF changes frequently, so a second 
access of the URL needs to re-generate the PDF.

Because of all this dynamic generation, I'm doing the background work in 
this pdfbuild directory, because I don't want to expose the intermediate 

I've fixed this by putting the intermediate files in pdfbuild and the 
final output PDF in .../pdfbuild/../public/pdf but this effectively 
exposes all generated PDFs: any user can pull up any other user's 
dynamic PDF if they know another user name and can make sensible guesses 
about the timestamp.  Obviously I could add a nonce to the file name to 
make guessing impossible, but that's solving the symptom, rather than 
attacking the actual source of the problem.

Why doesn't send_file() just return a binary blob to Dancer, which it 
recognizes and inserts literally into the response content body?  Why 
does it care where on the filesystem that data comes from?

More information about the dancer-users mailing list