问题描述
我有一个C#.net应用程序,允许用户上传文档。然后,将文档进行恶意软件扫描并保存。这些文件保存在共享文件并在上传文件夹中。份额文件是在一个单独的服务器上的企业内部网。该文件夹上传坐在同一个目录中的应用,而不是应用程序的一部分。主机服务器运行IIS 7目录列表了。
I have a c#.net application that allows users to upload documents. The documents are then scanned for malware and saved. These documents are saved in a share file and in an uploads folder. The share file is on the intranet on a separate server. The uploads folder sits in the same directory as the application, but is not part of the application. The host server is running iis 7 with directory listing off.
的问题是,如果一个外部用户能够猜出的命名约定和文件名,它们可以键入到一个浏览器和查看的文档。
The issue is that if an outside user is able to guess the naming convention and the file name, they can type that into a browser and view the document.
该应用程序在用户帐户下运行。我们已经尝试设置在上传文件夹的权限,只允许应用程序的用户帐户访问,没有工作。
The application runs under a user account. We have tried setting the permissions on the uploads folder to only allow the applications user account access, which did not work.
我也试过添加Web配置文件夹:
I also tried adding a web config to the folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="application_user_account" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
放置在上传文件夹内时,这没有工作,但是当它被意外放置在一级文件夹,服务器拒绝所有用户访问的环境中托管的所有应用程序。
This did not work when placed inside the uploads folder, but when it was accidentally placed in a folder one level up, the server denied all users access to all the applications hosted in the environment.
有没有人有在这种情况下preventing直接进入上传文件夹的解决方案?
Does anyone have a solution for preventing direct access to the uploads folder in this scenario?
推荐答案
移动文件夹上传到的App_Data code>。
例如。 〜/ App_Data文件/上传
的App_Data code>是无法从网上读到一个特殊的文件夹。
App_Data
is a special folder that cannot be read from the web.
在导航到 example.com/App_Data/Uploads/Foo.docx
任何企图将导致授权错误。例如一个 HTTP响应..
Any attempt at navigating to example.com/App_Data/Uploads/Foo.docx
will result in an authorisation error. e.g. An HTTP 403 Forbidden
HTTP response..
这篇关于如何保护在网络形式的直接存取文件上传的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!