I currently have a asp.net site that allows users to upload files and subsequently view them using HTTP. Is there a simple way to prevent a user from uploading a malicious script/file onto my server then attempting to run that script by calling its directory via http?
You have to remove the ASP script mapping on that particular folder.
Read the complete answer by Steve Schofield here.
Related
Currently, in order to push my website live I upload files to the server via FTP using FileZilla. If a user reloads the site when I'm pushing over the website DLL, they'll get a File is being used by another process type of error.
Are there any better pushover techniques I can make use of to get around this issue or any techniques that are generally better than using at FTP client to upload my site?
You can always upload an app_offline.htm file while you are deploying the new site. If you do this in an asp.net application the user will be directed to the app_offline.html file no matter what page they try to load/reload. When you're ready for them to access the site again you simply remove/delete/rename the file (i usually just rename it so it's a simple rename to get the site back into offline mode).
http://weblogs.asp.net/dotnetstories/archive/2011/09/24/take-an-asp-net-application-offline.aspx
I have a web app made in asp.net mvc3. There is a facility to upload and download files using the application. Uploaded files will be stored in some folder under web root. I want allow downloading files to those who have access to the files only. No one should be able to download the file by directly pasting in the file URL.
I use shared hosting with limited IIS access. So what would be the best way to achieve this?
How are you storing the data on the access rights currently? It sounds like you are not going to be able to make use of IIS to control access to your files and will have to handle it yourself.
As this is the case, rather than link to the file directly you should store the files outside of your web root and then handle requests coming in for files through ASP.NET MVC using a GET method. At that point you can check the user's credentials, and if they have access you can serve the file.
I'm not too familiar with it, but it looks like ASP.NET MVC makes serving up files very easy with the ability to return a FileContentResult, supported by the Controller.File method (documentation here).
This blog post looks like a great start, and you would just need to insert your credential-checking logic into the Get method.
I'm developing a Web application, and there is a page when user must submit files which are saved into temporary folder on the server. If everything goes well, I send ajax request to the server to remove users uploaded file. But, if user closes the browser or shutdown the computer, I can't detect that.
In this case, what is the best way to gurantee that unused files are not stored forever? The site is developed in ASP.NET MVC and will be hosted on II7. Does IIS7 provides some configuration to deal with temporary files? Or I need to implement some service, which will be executed in a background with low priority and periodically check if there are "old" files to be removed?
Any help is very much appreciated.
I would have a windows service in the background to delete old files at some interval.
I have a system that allows the users to download some files, the user needs to login first and then he is autorized or not to download. The download page is Download.aspx?FileId=42 and the code within this page opens the file and keeps sending small chunks to the user. We made this because we needed to guarantee that only authorized users could download.
We recently moved this system to IIS7 and it is working properly, but I don't like the idea of having a custom c# code sending the chunks to the client, so I would like to know if there is a way of when a request to file.zip is made, a custom code is executed to authorize or not, and if it is authorized, I just tell IIS7 to proceed the download instead of running the code inside Download.aspx.
Is this possible?
Thanks!
Do a redirect to the zip file. Hide the zip file in a obscure location with non-regular naming. "Security through obscurity."
IIS7 has authorization that uses Forms or Windows authentication for all file types - if it's running in integrated pipeline mode. The syntax is just like that for ASP.NET applications, but it's in a different place in web.config, <system.web>. The rules can also be added using the IIS7 admin interface. There are a couple of differences, IIS7 URL authorization evaluates rules from the parent down and deny rules take precedence.
I have a ASP.NET intranet application that has a document library section. The user can click on a link to a MS-Word document that resides on the server and can then edit the document if required within the browser (IE).
The problem is that when they come to save their changes it needs to write it back to the server but instead wants to save it on their local system.
Any ideas how I can get it to save back to the main server ?
Thanks in advance.
you need to upload the file back to the server.
Is this a internet or intranet application? if intranet you could save directly to \\myServer\myFolder\...
If it's a internet application, so the end user does not access to the server files directly you need to create a Office Add In (using Visual Studio Tools for Office), called "Save to Server" and that will run "http://www.mydomain.com/updatefile.aspx" and that page will do a Update.
remember, Update with a filename diferent from the original, and if the update was ok, then delete the old, and rename the new (or give the user a version system and rename the file on the server to [myFile]_[currentDate].docx for example.
links:
How to upload a file to a Web server in ASP.NET by using Visual C# .NET
The link to the word document can be a file:// url.
Using this method the user can open the file directly on the share.
Assuming your intranet applicaiton supports writing back to the server, you would need to give the account that the web application runs as permission to write to the folder the documents are stored in, unless it is using impersonation then the users it is impersonating would need ther permissions.