Application Upload File Folder

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Application Upload File Folder

Message

12/04/2013 06:54:59

Bill Caton
MAXIMUS
Lawrenceville, Georgie, États-Unis

11/04/2013 20:04:05

Rick Strahl
West Wind Technologies
Maui, Hawaii, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Autre

Titre:

Re: Application Upload File Folder

Divers

Thread ID:

01570198

Message ID:

01570789

Vues:

Good to know this info. We will be implementing this to secure the attachment file folder. Easy to be a little paranoid about web-related security. Thanks for taking the time to respond.

Bill

>>My main purpose was to gain an understanding of the security issues and methodologies to safely implement the folder(s) under the current incranation of IIS and the MS' security model. Still got lots to learn and this stuff seems to change all the time.
>>
>
>The security issues pretty much stay the same and ASP.NET security hasn't changed much over the years. IIS either although the process is a little different as the tools have changed.
>
>Ultimately it's very easy to lock down a folder in your app. With ASP.NET it's super easy just by adding a < location > tag into web.config and remove unauthenticated or all users. Since it's in the config file it's portable so if the app moves the permiessions go with it (ie. there's no way to forget to protect the folder).
>
>+++ Rick ---
>
>>Bill
>>
>>>Do whatever makes sense. I tend to put uploaded files into the virtual folder structure, then protect the folder with a location tag that disallows all users. There's no risk there as long as you set the access appropriately.
>>>
>>>One reason this is often desirable is that the Web application often doesn't have rights to write outside of the virtual folder structure. You also can't easily map paths with Server.MapPath(), which means you have to track the upload folder using config settings.
>>>
>>>And if you do allow uploading to a separate non-Web folder, realize that that has security potential issues as well. You're potentially opening yourself to other security issues as you now have a path that the Web server account has to have access to.
>>>
>>>Either way there are potential security issues with either of these approaches that require locking down security settings.
>>>
>>>+++ Rick ---
>>>
>>>>We have an ASP.NET application that requires uploading and storing of files. A developer here wants to place the upload attachment folder within the application physical folder structure associated with the virtual directories.
>>>>
>>>>I do not want to place it there due to the possibility of security issues. Are there accepted practices for the placement of application file upload folders? Is this documented anywhere?
>>>>
>>>>Thanks,
>>>>Bill

William A. Caton III
Software Engineer
MAXIMUS
Atlanta, Ga.

Répondre

Fil

Voir

Click here to load this message in the networking platform