Can you receive UNC path from a browser file dialog prompt? - asp.net

We have a file upload in our ASP.NET MVC application that works fine. It engages the browser file dialog box and performs an upload on the selected file. Now, we're interested to receive the UNC path from the file (for different mapped drives) if possible. Can this be done?
What we'd like to do is if it's a non local resource, we'd like to pass up the UNC path rather upload since our server could access it much quicker.

The file input control will be able to use whatever the client computer can, be it UNC or local. The file will be uploaded via the client.
If you want to extract this path from the upload, this is not possible due to security considerations.
You may need to ask the user to input the file path to a text field in order to determine if it is local or on a network share, then decide what method to use in order to obtain the file.

Related

How to retrieve asp.net media / resources based on logged in user?

I have an asp.net web api project using token based authentication. my app uploaded and retrieve images and I keep file path in table_myfiles along with the uploaded user ID.
I would like the user to access only the files he have uploaded, which I can identify from the table.
How to protect my resources to restrict access to only to the user based on table_myfile ? And not to anyone without logging in or direct link / path ?
I have been searching for any possible solution for a week now , I think I should implement a middleware to manage access. But I couldn’t find any resources on how to implement the same.
Currently my api shows all resources just by directly accessing the file path/link.
The simple apporach is to remove the vitural folder, or that folders from the web site folders. That way, no simple URL exists for any of the files.
So, for a user to get/see/use/download a file? You present say a listview or some kind of grid (or repeater) that displays and lists out the files.
Then, when they want to download or view a file?
You use response.write and stream the file down to the client side.
Remember, on the server, code behind uses 100% clean and correct windows file paths. For any web based URL, then that folder must be in a valid path of the web site. When they type in a valid URL, it eventually gets translated to that given folder in the site (or a external folder provided when you create a mapped "virtual" folder in IIS. However, if you don't provide that virtual folder, or the folder is NOT in the web site file/folder sets, then no valid URL's exist. However, that folder can be directly used and hit with code behind - any valid server path/folder name is allowed in code behind.
Because when streaming the file, you need path name, file name, AND ALSO the "mine" type. Thankfully, .net 4.5 or later has this ability.
so, from a database (table) I display the file names like this:
But, if you click on the preview image, that is a image button.
The code behind simply gets/grabs the file name from the database.
I then download (stream) the file to the browser side like this:
if (File.Exists(strInternalFullPath))
{
string strConType = MimeMapping.GetMimeMapping(strInternalFullPath);
binFile = File.ReadAllBytes(strInternalFullPath);
Response.ContentType = strConType;
Response.AppendHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(strWebUrl));
Response.BinaryWrite(binFile);
Response.End();
}
else
MyToast2(this, btnLink.ClientID.ToString, "File Not found", "We no longer have this file avaiable.");
so, this buttion behaves 100% like a link, but there are no existing URL's or path name that points to the files folder from a web based URL.
Remember:
Web based URLs - they auto map from the web site URL to a existing folder.
You can use server.MapPath("some url to file") to "translate" this to a internal file name.
Code based files:
In your .net code (code behind) ANY file name is a standard plane, jane file name that points to a file on the server.
so, once we have that file name from the database, you can steam the file as if the user clicked on a link. But you never have to expose the actual file name, or file path. And no such valid URL's exist on the web site, since you do NOT have that files folder in the web site folder hierarchy - but placed that folder outside of the web site.
As long as that folder is outside of the web folders, and as long as you don't setup a virtual folder that points to that folder outside the web folders?
Then code behind can STILL get/grab/see/use any file on the server. that code uses a full valid windows file name, - but the web site will have no mapping to such a folder - hence no valid URL's will exist or can be typed in.

Force file download in a browser using ASP.Net MVC when the file is located on a different server without downloading it on my server first

Here's what I would like to accomplish:
I have a file stored in Windows Azure Blob Storage (or for that matter any file which is not on my web server but accessible via a URL).
I want to force download a file without actually downloading the file on my web server first i.e. browser should automatically fetch the file from this external URL and prompts the user to download it.
Possible Solutions Explored:
Here's what I have explored so far (and why they won't work):
Using something like FileContentResult as described here Returning a file to View/Download in ASP.NET MVC to download the file. This solution would require me to fetch the contents on my server and then stream from my server to the browser. For this reason this solution won't work.
Using HTML 5 download attribute: HTML 5 download attribute would have worked perfectly fine however the problem is that while it is really a very neat solution, it is not supported in all browsers.
Changing the file's content type: Another thing I could do (at least for the files that I own) to change the content type property of the file to something that the browser wouldn't understand and thus would be forced to download the file. This might work in some browsers however not in all as IE is smart enough to go beyond the content type and sees the file's content to determine the content type. Furthermore if I don't own the files, then I won't have access to changing the content type of the file.
Simply put, in my controller action I should be able to specify the URL of the file and somehow browser should force download the file.
Is this something which can be accomplished? If yes, then any ideas how I could accomplish this?
Simply put, in my controller action I should be able to specify the URL of the file and somehow browser should force download the file [without exposing the URL of the file to the client].
You can't. If the final URL is to remain hidden, your server must serve the data, so your server must download the file from the URL.
Your client can't download a file it can't get the URL to.
You can create file transfer WCF service (REST) which will stream your content from blob storage or from other sources through your file managers to client browser directly by URL.
https://{service}/FileTransfer/DownloadFile/{id, synonym, filename etc}
Blob path won't be exposed, web application will be free from file transfer issues.

Creating a new file without using a ServletContext

Assume I want to write to a new file created within the space of my webapp.
One way would be use getServletContext().getRealPath("/") and use that String to create a new file on the server. However, often I come across advice like not using getServletContext().getRealPath("/").
Can someone please let me know of another way to write a new file within my webapp?
Many thanks.
Have some configuration property containing the absolute path of a directory outside of the webapp and web server path, read this path from the configuration property, and write to this directory.
To serve files from this directory, write a servlet that takes the name or ID of this file as parameter, reads the file from the directory, and sends its content to the response.
This will
work even if the app is deployed as a war file and never unzipped to the file system
allow you to redeploy the next version of the app or server without deleting all the uploaded/created files
allow you to add whatever control you want on the uploaded/created files, instead of making them available to everyone
In short, treat these files as data, stored in a database which happens to be the file system instead of a SQL database.

How do I allow the user to select the path for a file?

In an application I'm working on, the users are prompted for the path of a file. This path will always point to a network drive, which the server has access to.
Currently, we use an asp:FileUpload control to accomplish this, drawing the path from the FileUpload's PostedFile.FileName property.
The problem is that the files the user is selecting from are locked down pretty severely. While the server has full access to them, the user only has permission to view the directory contents... They can't even open the files. This has worked fine up until now... But Windows 7 won't display these files in the file picker generated by FileUpload, so we need an alternative.
Notes:
Looking for a way to get UI similar to the file open dialog already in place.
The ability to view the client's local files (including the shared network drives) is a bonus, although listing the files through the server is acceptable.
I think the problem is the permissions on these files. If the users can't even open them, how can their terminal possibly upload them to a website?
I'm surprised this has ever worked.
If the user is simply supplying a path and not actually uploading the file you could have the server display the contents of the folder (in a list or whatever) and the user selects from that.
So how about creating a file browser in a window, such that a user clicks "Pick File" which opens a new window showing the root contents of the network drive. The user can then navigate round the directories to the file they want, finally clicking the file to "upload".
Use System.IO Directory.GetFiles to get the files in a directory.
I think you need to separate out the two things. Here's an example prompt to convey the idea:
Select a (file from your computer) OR (file from the server)
Client Files
You can use the standard file-upload control, that is fine.
Server Files
No user should be selecting files from your sever with the upload-file dialog. (Keep in mind that these dialog boxes allow right-click menus delete, copy, properties, etc and locked down or not, the user should not think they have this ability).
I don't think there are any controls that will "do-it-all" for you in this manner. I think your best bet is to make your own interface here.

asp:FileUpload fetch the file Path

VS 2008
How to fetch the Full File path for the File Uploaded in asp.net ??
Either HTML or ASP.Net Server Control, i need to use File Upload - Browse feature and need to fetch the Complete file path.
My guess is Due to security reasons, ASP.Net does not support asp:FileUpload to deliver the Full File Path ..!
What would be the best way to get the file path ?
You can't do what you want by design (at least on modern browsers). This would be a security issue if you could.
You can read more about this here.
Snipit:
Historically, the HTML File Upload
Control () has been
the source of a significant number of
information disclosure
vulnerabilities. To resolve these
issues, two changes were made to the
behavior of the control.
To block attacks that rely on
“stealing” keystrokes to
surreptitiously trick the user into
typing a local file path into the
control, the File Path edit box is now
read-only. The user must explicitly
select a file for upload using the
File Browse dialog.
IE8 read-only File Path box
Additionally, the “Include local
directory path when uploading files”
URLAction has been set to "Disable"
for the Internet Zone. This change
prevents leakage of potentially
sensitive local file-system
information to the Internet. For
instance, rather than submitting the
full path
C:\users\ericlaw\documents\secret\image.png,
Internet Explorer 8 will now submit
only the filename image.png.

Resources