问题描述

我有一个C＃.net应用程序，允许用户上传文档。然后，将文档进行恶意软件扫描并保存。这些文件保存在共享文件并在上传文件夹中。份额文件是在一个单独的服务器上的企业内部网。该文件夹上传坐在同一个目录中的应用，而不是应用程序的一部分。主机服务器运行IIS 7目录列表了。

I have a c#.net application that allows users to upload documents. The documents are then scanned for malware and saved. These documents are saved in a share file and in an uploads folder. The share file is on the intranet on a separate server. The uploads folder sits in the same directory as the application, but is not part of the application. The host server is running iis 7 with directory listing off.

的问题是，如果一个外部用户能够猜出的命名约定和文件名，它们可以键入到一个浏览器和查看的文档。

The issue is that if an outside user is able to guess the naming convention and the file name, they can type that into a browser and view the document.

该应用程序在用户帐户下运行。我们已经尝试设置在上传文件夹的权限，只允许应用程序的用户帐户访问，没有工作。

The application runs under a user account. We have tried setting the permissions on the uploads folder to only allow the applications user account access, which did not work.

我也试过添加Web配置文件夹：

I also tried adding a web config to the folder:

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <allow users="application_user_account" />
        <deny users="?" />
      </authorization>
    </system.web>
</configuration>

放置在上传文件夹内时，这没有工作，但是当它被意外放置在一级文件夹，服务器拒绝所有用户访问的环境中托管的所有应用程序。

This did not work when placed inside the uploads folder, but when it was accidentally placed in a folder one level up, the server denied all users access to all the applications hosted in the environment.

有没有人有在这种情况下preventing直接进入上传文件夹的解决方案？

Does anyone have a solution for preventing direct access to the uploads folder in this scenario?

推荐答案

移动文件夹上传到的App_Data 。

例如。 〜/ App_Data文件/上传

的App_Data 是无法从网上读到一个特殊的文件夹。

App_Data is a special folder that cannot be read from the web.

在导航到 example.com/App_Data/Uplo​​ads/Foo.docx 任何企图将导致授权错误。例如一个 HTTP响应..

Any attempt at navigating to example.com/App_Data/Uploads/Foo.docx will result in an authorisation error. e.g. An HTTP 403 Forbidden HTTP response..