Chapter 9. Using the File System

Most Web applications deal with files — accessing files on your server, generating files "on the fly," serving files from another server on your network, and allowing users to upload files. Each of these functions can introduce vulnerabilities into your application.

In this chapter, you will learn about the following:

  • How to access existing files safely

  • How to configure your server for secure file access

  • How to properly generate files

  • How to access remote files

  • How to handle user uploads

ACCESSING EXISTING FILES SAFELY

There are many reasons why a Web site may serve actual files in addition to Web pages. Sometimes, simply offering the user a direct download link is insufficient. Some Web sites may want to restrict certain content, or track downloads of software, music, images, or documents. To serve these files in a manner that enables access control or tracking they must be served via code, rather than a direct download URI.

TRY IT OUT: Serving Files Via Scripts

In this example, you will create a simple page that serves files through code, rather than a direct link. You may want to do this to perform logging before a file is downloaded, or to limit access to a file — something you cannot do if you use a simple link.

  1. Create a new Web application or Web site and create the following default.aspx:

    <%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/ ...

Get Beginning ASP.NET Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial