当前位置: 动力学知识库 > 问答 > 编程问答 >

c# - How Secure is string sysPath = "C:/Inetpub/vhosts/..."

问题描述:

I have a little more detailed question, FileUpload from Subdomain to Folder of Main Domain, which I kinda solved, but I'm just not sure how secure my solution is.

In short, a logged in person can upload files, but they're on subdomain and the files are getting stored in the parent domain's folders. So I'm using:

string sysPath = "C:/Inetpub/vhosts/domain.com/httpdocs/Uploads/Files/"

Is the acceptable?

网友答案:

I'm assuming you're asking if these files are safe from unauthorized access. The answer is "Not really". Those files are accessible by anyone able to guess (or otherwise obtain) the path to the files. I'd recommend storing them outside of the Inetpub folder (Something like C:\Uploads\). Once you've authenticated your user (i.e. the user is logged in somehow) you can stream/send the file like this:

    Response.Clear();
    Response.ContentType = "application/octet-stream";
    Response.AddHeader("Content-Disposition", "attachment; filename=\"" + filename + "\"");
    Response.TransmitFile(fullFilePath);
    Response.End();

filename is just the file name, not the full path.

EDIT: A little bit more detail

When you upload the file (as described in your other post) just be sure to store the file in a directory that doesn't include Inetpub. So, say your user uploads a file called foo.gif. You'll want to store it at C:\Uploads\foo.gif (in your upload.aspx). Now when someone visits Download.aspx run the following code:

    Response.Clear();
    Response.ContentType = "application/octet-stream";
    Response.AddHeader("Content-Disposition", "attachment; filename="foo.gif");
    Response.TransmitFile(@"C:\uploads\foo.gif");
    Response.End();

I've shown the values hard coded for clarity.

分享给朋友:
您可能感兴趣的文章:
随机阅读: