Restrict browsing an XML file using web.config - asp.net

I have an application where I have an XML file which holds the connection string.
When hit the URL with the exact file name it opens the file in the browser that is natural.
Now I need to restrict this file browsing and I can not change that code to do any redirect or anything else.
What I have tried is using denyurlsequences in the security tag in the web.config but it restricts the application too to access the file and that makes the application stop working.
I am using .NET Framework 2.0

The ".xml" file extension is not supported by ASP.NET pipeline that is why you cannot add it to web.config and restrict it. What you can do is to copy the xml file in the "App_Data" folder of your application.
The purpose of this folder is to hide it files from browsers/users and also is build for this type of data.
To create "App_Data" folder if it already does not exist :
Right click on your project -> Add ASP.NET Folder -> App_Data
Or just add a folder and call it App_Data

I know its old question but this answer may be helpful for others.
I did below configurations on IIS 8.5 ( make sure Request Filtering is installed on IIS.)
Open IIS and click on your application virtual directory.
In features View, Click on Request Filtering and then go to Hidden Segments tab - this tab will contain list of hidden files or folders. (like web.config, APP_data folder etc...)
Add file or folder you want to hide from the browsing by click on add hidden segment and mention file/folder name you want to hide and test it.
In our application we have a master xml file stored in an application folder, to deny browsing this xml file I had added the folder name in hidden segments and it worked.

Related

PDF is not accessible through URL in IIS .NET Framework 4.8 app

I have a PDF file in a folder on a server within a IIS website app that I need to be able to open through a link/url, like below:
https://api.example.com/my-path/my-pdf-file.pdf
The PDF file is hosted in a folder of my IIS application. When I try to access it through the link, I've got a 500 server error.
I tried several things within IIS settings (URL Rules, web.config, mime-types), but nothing worked so far.
Any advice will be much appreciated.
Is the folder included in the project? You can't just add a folder outside of Visual Studio, but have to use VS to add that folder.
You can right click on that existing folder (which of course is a sub folder of your project) and check this setting:
So, in my case, I right click on UpLoadFiles.
If the folder ALREADY is included in the project, then you get a option to EXCLUDE the folder like this:
However, if the folder is not included, then you see this:
so, is that folder included in your project? You want to check above.

How to retrieve asp.net media / resources based on logged in user?

I have an asp.net web api project using token based authentication. my app uploaded and retrieve images and I keep file path in table_myfiles along with the uploaded user ID.
I would like the user to access only the files he have uploaded, which I can identify from the table.
How to protect my resources to restrict access to only to the user based on table_myfile ? And not to anyone without logging in or direct link / path ?
I have been searching for any possible solution for a week now , I think I should implement a middleware to manage access. But I couldn’t find any resources on how to implement the same.
Currently my api shows all resources just by directly accessing the file path/link.
The simple apporach is to remove the vitural folder, or that folders from the web site folders. That way, no simple URL exists for any of the files.
So, for a user to get/see/use/download a file? You present say a listview or some kind of grid (or repeater) that displays and lists out the files.
Then, when they want to download or view a file?
You use response.write and stream the file down to the client side.
Remember, on the server, code behind uses 100% clean and correct windows file paths. For any web based URL, then that folder must be in a valid path of the web site. When they type in a valid URL, it eventually gets translated to that given folder in the site (or a external folder provided when you create a mapped "virtual" folder in IIS. However, if you don't provide that virtual folder, or the folder is NOT in the web site file/folder sets, then no valid URL's exist. However, that folder can be directly used and hit with code behind - any valid server path/folder name is allowed in code behind.
Because when streaming the file, you need path name, file name, AND ALSO the "mine" type. Thankfully, .net 4.5 or later has this ability.
so, from a database (table) I display the file names like this:
But, if you click on the preview image, that is a image button.
The code behind simply gets/grabs the file name from the database.
I then download (stream) the file to the browser side like this:
if (File.Exists(strInternalFullPath))
{
string strConType = MimeMapping.GetMimeMapping(strInternalFullPath);
binFile = File.ReadAllBytes(strInternalFullPath);
Response.ContentType = strConType;
Response.AppendHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(strWebUrl));
Response.BinaryWrite(binFile);
Response.End();
}
else
MyToast2(this, btnLink.ClientID.ToString, "File Not found", "We no longer have this file avaiable.");
so, this buttion behaves 100% like a link, but there are no existing URL's or path name that points to the files folder from a web based URL.
Remember:
Web based URLs - they auto map from the web site URL to a existing folder.
You can use server.MapPath("some url to file") to "translate" this to a internal file name.
Code based files:
In your .net code (code behind) ANY file name is a standard plane, jane file name that points to a file on the server.
so, once we have that file name from the database, you can steam the file as if the user clicked on a link. But you never have to expose the actual file name, or file path. And no such valid URL's exist on the web site, since you do NOT have that files folder in the web site folder hierarchy - but placed that folder outside of the web site.
As long as that folder is outside of the web folders, and as long as you don't setup a virtual folder that points to that folder outside the web folders?
Then code behind can STILL get/grab/see/use any file on the server. that code uses a full valid windows file name, - but the web site will have no mapping to such a folder - hence no valid URL's will exist or can be typed in.

Bluimp Backload folder reference issue with virtual directories

I am working on a solution which has two projects in it. One is a virtual app which works in another. The first application is the panel and the second is the website. First application can be accessed with "localhost:10001/panel" and the second with "localhost:10001". You see, I created a virtual path for the first app to work under the second one in Visual Studio and they work great that way.
The problem I am having now is about the file uplaod system, "Blueimp's jQuery-File-Upload" plugin and as backend using "Backload". I must say that these work great on a standalone project. That's why I decided to continue the project using these.
But when it comes to a setup which I explained below, I cannot access the files I upload. I installed fileupload system in the panel project, which is accessed as "localhost:10001/panel" so when I leave the default web.config configuration for backload (default is "~/files"), all files are uploaded to the "localhost:10001/panel/files" path. And after the upload when I refresh the page, all uploaded file links are referencing "localhost:10001/files/" without the "panel" folder.
In BackLoad web.config notes how to change and use root upload folders are explained like that
filesRoot: // Root upload folder. If the value starts with '~/' (e.g. ~/files) the path is relative to the web root, otherwise set an absolute local path (e.g. d:/files) [Default: "~/Files"].
I understand that having "~/" at the beggining of a folder reference shows the project's root. But I can't figure out how to reference the upload folder, instead of the default "~/files", to upload and access all files from the second project's root. When I need to reference folder between these two projects I simple use "../", or "/" to access the second project's (site) root. But doing that in "filesRoot" attribute of BackLoad config settings, all file references are starting "///file....." and shows a local path in the computer.
I simply want to upload and access the files from the "localhost:10001/files" location when I upload files from the panel. Now, I cannot even use the "localhost:10001/panel/files" path because files are uploaded to "panel/files" folder, but are accessed from "files" folder with default settings.
BTW: I am using BackLoad's WebForms Example on this project, and this is a Web Forms project.
I ended up using Files folder as a temp folder. At the time of submit, I move the file which is uploaded in Files folder, to the folder of my need. And the problem is solved.
Thanks anyway...

How to deploy XML file with my web application?

I've written an ASP.net web application. In the interest of following the advice in "The Pragmatic Programmer" to put application logic in configuration, I wrote a large XML file that describes various business rules.
When I test the application on my local development workstation, I copy the file to c:\xxxxx\myfile.xml and then write the code to read the file from this location.
What is the correct way to deploy this xml file as part of my web application so that it gets read from the directory in which the web application is deployed?
Update: The XML file in question is for server-side configuration and should never be available for download to the end-user.
If you're not embedding this as a resource, you should:
Create a directory under which this file will reside.
Create the file and set its Build Action to Content.
Create a web.config file in that directory which forbids access to the directory so you don't expose your business rules to the Internet.
Add a setting in your application's main web.config that gives the path to this file relative to the root of the application, i.e. "~/MySecureFolder/MyBusinessRules.Xml".
Have some code that calls HttpServerUtility.MapPath Method to convert the value from the setting in web.config to a virtual path.
I don't know if this is what you want - Click on the XML file, then open the Property Window and find the "Build Action" property. Set the value to "Embedded Resources"
I think what you need to do is:
Add the XML file to your web application project in Visual Studio
Right click on the file and select 'Properties...'
Set the Build Action to 'Content' and Copy to Output Directory to 'Do not copy'
this will ensure that your XML file is deployed along with the rest of your web app.
If you want to make available your XML file from http requests to your server, you should
place it in your web publication folder.
This ASP instruction should help you to find your publication path:
Request.ServerVariables("APPL_PHYSICAL_PATH")

ASP.NET Web.config question

The server is IIS7.
Is there a way to disable web.config files in subfolders?
I am asking because, I have a folder on the web server that is for uploads. When someone uploads files, a new folder is created for the user's session and the files they upload go in the folder.
So the path to uploads would be like this:
~/uploads/3F2504E0-4F89-11D3-9A0C-0305E82C3301/somefile.txt
In the ~/uploads/ directory there is a web.config file that removes all http handlers except the static file handler and adds a wildcard mime type. So every file that a user uploads will only ever be served statically.
If a user uploads a web.config file, I want to disallow any of the settings in that file from being applied.
How can I do this?
EDIT
Could I just make the upload folder an application that is a member of an application pool configured to run in Classic mode instead of Integrated Pipeline mode? That way it wouldn't even care about a web.config file.
EDIT 2
Is there another type of webserver I could install for serving all files statically? I could just access the files through a different port. Is there some software that I can be sure wont run any scripts and is safe.
I simply wouldn't allow them to upload a file with that name. In fact, I normally wouldn't trust any filename that the user gave me... makes a great candidate for an injection-style attack.
Ok I have a different angle on this...
What if your uploads folder was not part of the website and instead part of the file system? This way ASP.NET is not processing requests to the folder and thus web.config wouldn't be loaded by the ASP.NET runtime.
You'd have to give your app pool's account read/write access to the file system where these files are stored, but I think it better fits what you're trying to accomplish.
Obviously it could be done in code.
If the folders always exist, you could pre-populate with a web.config with no (significant) content and an ACL to ensure it cannot be overwritten, but looking at the path it I suspect you create the upload folders dynamically which means this would not work.
I don't believe there is a way to tell IIS not to use a web.config (but I could be wrong). Personally, I would add a check to my save code and rename the file.
Why not just check the filename first to prevent the user from uploading a file named web.config? You're probably going to want to check for other things too before allowing the upload - files that are too big, etc.

Resources