Suppose we have a example.exe file.
we first put that file in a new folder
and then zip that folder with any zipping software,
Can we prevent that zipped folder upload in a website?
how can we do that?
You cannot prevent it, because you can't tell what the browser is going to submit before it submits it. All you can do is when the file arrives on the server, check the file extension - if it's an exe (or a .zip and you open it up and find an .exe) then reject it.
You can use something like SWFupload to get a handle on the file before it's uploaded, but the best that'll do is tell you the name of the file.
Besides, they could just take "example.exe" change the name to "example.txt" and still upload it...
You check on the server. Checking with javascript in form.onsubmit is dumb because its quite simple to post a form with a file to the same URL and skip your super secure javascript powered page.
Related
In my asp.net web application, I read the xml file for obtaining a key. If file is not present I show a form to enter the key details and then create the file.
First problem: My app does not recognize the file even if its there.
Second problem: I am running application on the server. When writing, rather overwriting the file, browser shows the username, password prompt before writing the file. If I enter admin credentials it allows to create a file.
I have checked all possible combinations of permissions on the file / folders, but could not resolve the problem.
Any ideas, what I could be missing here?
You read the xml file but is it as a part of your solution? If yes, are you reading it through relative path i.e. are you using Server.MapPath to read it like Server.MapPath("~/Files.test.xml")? Once you use relative path, I don't think it will ask you credentials as it still is in your project directory.
It should work. I am also reading and writing files in my web application.
If it still does not work, please tell me the way you are reading file.
Thanks,
I am trying to hook into the Wordpress file uploader and would like some suggestions. I would like to be able to grab the path of the source file (not WP path; i.e. K:\docs\file.pdf) so I can download another file of the same name (different extension) & path automatically (i.e. K:\docs\file.txt).
Wordpress provides hooks for after the file is uploaded but all path information at that point is internal to wordpress.
Thanks in advance!!
the path information can be obtained from normal php functions like pathinfo() and realpath() for example .
Bit too late to the party but I think what you are asking for is to find the source of the document in the clients system and based on that you want similar files there to be picked up by the browser and then sent to the user.
I think it will be a fairly complex thing to do, firstly you have to get the source of the document being added to the browser (I am not sure it can be done, but if it can be done then it will be via javascript) and then upload all the files one by one to the server hosting wordpress and you can do this by creating a custom page which will add the files uploaded to it as a wordpress attachment and then using something like jquery file uploader to upload files to that location.
But honestly, I think it would be a very complex thing, unless the client and the server are on the same machine.
Is there a way to get the select file dialog box open and putting the location of the file into a textbox without ever uploading the file?
ETA I'm using VB.NET in a web page. By using the asp:fileupload tag I can get the file location
_fudFileLocation.PostedFile.FileName_
But how do I prevent the file from being uploaded at all. We don't need it, just the file location. (The files are on a shared drive so if it's M:\documents\todayslunch.pdf for person A, it's the same for person B.)
You do not get access to the full filepath in the browser because of security.
If this was possible, one could get the full layout of the computer of anyone going to any website.
System.Web.HttpPostedFile.FileName gets the fully qualified name of the file on the client which includes the directory path.
I want to get complete file path using file upload control. I want to use them to get all the files from that directory.
Thanks.
You can't do this. If you could it would be a huge security hole and a risk to every user everywhere.
Can somebody tell me how to prevent exe file from being uploaded in a website , even if exe file is inside zip file( exe file in a new folder and new folder is then zipped and uploaded)?
Allow the users to upload the file (if is ZIP) and do a server-side check by unpacking the archive and evaluating its content.
Short answer: you can't.
Pedantic answer: Don't have users upload files.
Long answer:
What code is handling this uploaded file? What are you doing with it? This is where the security needs to happen. You can explicitly check the file extension in the post handler, but that only gets you so far, as you've already determined.
Some tips:
-Drop files in a secure location outside the web root.
-Don't give your ASP.NET process user more permissions than it needs
-Give them unique server-generated names and proper extensions.
-Do not call Shell.Execute on user-uploaded files. Duh.
What exactly are you trying to prevent here? Your question is difficult to answer as-is.