Wrox Programmer Forums
|
BOOK: Beginning ASP.NET Security
This is the forum to discuss the Wrox book Beginning ASP.NET Security by Barry Dorrans; ISBN: 978-0-470-74365-2
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET Security section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old April 17th, 2012, 11:22 AM
Registered User
 
Join Date: Jan 2012
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default App_Data Accesibility pg 213

Hi,

I am posting this thread for a problem that I got in trouble, reading the paragraph Making Static Files Secure pg. 213

I have put the two .txt files, Example1.txt and Example2.txt in the App_Data folder.

Then I requested the default page and I selected to from the dropdownlist the Example1.txt.

I got the http://localhost:53557/UsingFileSyst...e=example1.txt

and then I changed the URL, as follows
http://localhost:53557/UsingFileSyst...aspx?filename=
~/App_Data/example1.txt and I got the content of the example1.txt file !

My problem is that according to the book, on page 213

"The App_Data folder is configured so that any file it holds cannot be accessed via the browser" !

The code in the getfils.aspx.cs file is the following:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;

public partial class getfile : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Response.Clear();
//string filename = Path.GetFileName(Request.QueryString["filename"]);
//FileInfo file = new FileInfo(Server.MapPath(Path.Combine("App_Data", filename)));
string filename = Request.QueryString["filename"];
FileInfo file = new FileInfo(Server.MapPath(filename));
Response.AddHeader("Content-Length", file.Length.ToString());
Response.WriteFile(file.FullName);
Response.End();
}
}

I would like to thank you in advance for any response!
 
Old April 17th, 2012, 12:52 PM
Wrox Author
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default

"The App_Data folder is configured so that any file it holds cannot be accessed via the browser"

The key here is "via the browser". You cannot, for example, load http://example.org/App_Data/example1.txt

However you can do whatever you like in code, including loading files from C:\Windows should you so desire.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Moving DB to App_Data Folder demac3 BOOK: Beginning ASP.NET 4 : in C# and VB 3 November 24th, 2010 07:11 PM
p 213 Rachel BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3 8 December 23rd, 2008 11:05 AM
accesibility..... seymour_glass C# 11 October 31st, 2007 02:17 PM
sql 2000 under app_data directory Maxxim ASP.NET 2.0 Basics 4 February 14th, 2007 08:21 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.