Mvc 3 - 控制器作为图像处理程序,如何传递路径?
我正在尝试使用控制器作为图像处理程序,但如何传递到它的路径?
现在它看起来像这样(适用于没有路径的图像):
public void GetImage(string parameter)
{
var imageHandler = UnityGlobalContainer.Container.Resolve<IImageHandler>();
imageHandler.ProcessRequest(parameter);
}
但是如果我尝试发送路径folder1\folder2\folder3\picture.jpg,那么它会失败。
@Html.ActionLink("Show", "GetImage", "Utility", new { parameter = @"folder1\folder2\folder3\picture.jpg" }, new { })
产生这个: http://localhost:58359/Utility/GetImage/folder1%5Cfolder2%5Cfolder3 %5Cpicture.jpg
这会导致: HTTP 错误 400 - 错误请求。
如何使用正常的 mvc 方法将路径传递给控制器? (我使用的是反斜杠而不是正斜杠) 我还在参数上使用 HttpUtility.UrlEncode 进行了测试。
I am trying to use a controller as an image handler, but how do i pass in a path to it?
Right now it looks like this (works for images without a path):
public void GetImage(string parameter)
{
var imageHandler = UnityGlobalContainer.Container.Resolve<IImageHandler>();
imageHandler.ProcessRequest(parameter);
}
But if i try to send in the path folder1\folder2\folder3\picture.jpg then it fails.
@Html.ActionLink("Show", "GetImage", "Utility", new { parameter = @"folder1\folder2\folder3\picture.jpg" }, new { })
produces this:
http://localhost:58359/Utility/GetImage/folder1%5Cfolder2%5Cfolder3%5Cpicture.jpg
and that leads to:
HTTP Error 400 - Bad Request.
How can i pass in a path to the controller using the normal mvc approach?
(I am using backward slashes and not forward slashes)
I have also tested using HttpUtility.UrlEncode on the parameter.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
根据您的代码: html页面中生成的链接应该是:
http://localhost:58359/Utility/GetImage?parameter=folder1 %5Cfolder2%5Cfolder3%5Cpicture.jpg
并且在操作方法中参数变量应正确设置为“folder1\folder2\folder3\picture.jpg”。
请注意,您可能容易受到此处目录遍历的攻击。
According to your code: The produced link in the html page should be:
http://localhost:58359/Utility/GetImage?parameter=folder1%5Cfolder2%5Cfolder3%5Cpicture.jpg
and the parameter variable should be correctly set to "folder1\folder2\folder3\picture.jpg" in the action method.
Notice that you might be vulnerable to directory traversal here.
在 .NET 4.0 beta 2 中,CLR 团队提供了一种解决方法。
将其添加到您的 web.config 文件中:
这会导致 Uri 类根据描述 URI 的 RFC 进行操作,从而允许在路径中转义斜杠而不进行转义。 CLR 团队报告说,出于安全原因,他们偏离了规范,并且在 .config 文件中进行设置基本上可以让您承担与不转义斜线相关的额外安全考虑。
In .NET 4.0 beta 2, the CLR team has offered a workaround.
Add this to your web.config file:
This causes the Uri class to behave according to the RFC describing URIs, allowing for slashes to be escaped in the path without being unescaped. The CLR team reports they deviate from the spec for security reasons, and setting this in your .config file basically makes you take ownership of the additional security considerations involved in not unescaping the slashes.
你不能只解码参数吗?
http://msdn.microsoft.com/en-us/library/6196h3wt.aspx
Can you not just decode the parameter?
http://msdn.microsoft.com/en-us/library/6196h3wt.aspx
不要将文件名参数称为“参数”,并在路由中定义它,而是将其称为“文件名”,并且不要在路由中定义它。
您的操作代码将是相同的,但文件名将不再是路由的一部分,而只是一个普通的 URL 参数。
如果您因不喜欢 URL 参数而受到本季时尚的困扰,那么您可能会觉得这令人反感,但这只是时尚,可以安全地忽略。
就我个人而言,我不会将这样的路径传递到网络应用程序中,因为我绝对会偏执于错误地创建遍历威胁 - 我只传递无路径的文件名,根据列表验证它们,然后获取文件。
Instead of calling the filename parameter 'parameter', and defining it in your route, call it 'filename' and DON'T define it in your route.
Your action code will be the same, but the filename will stop being part of the route and just be an ordinary URL parameter.
If you're afflicted by this season's fashion for disliking URL parameters, then you might find this repugnant, but that's just fashion and can safely be ignored.
Personally, I wouldn't pass paths like this into a web app, because I would be absolutely paranoid about creating traversal threats by mistake - I only ever pass in path-free filenames, validate them against a list and then fetch the file.