从 javascript 调用操作方法时 Asp、Net MVC 应用程序的安全问题
我在控制器类上添加了身份验证属性,用于管理目的,例如添加、删除类别和产品。所有此类控制器(ManageCategory、ManageProduct)都用以下内容进行装饰:-
[Authorize(Roles = "Administrator")]
这些控制器具有 Upload 和 Remove 操作方法,这些方法由 jquery 从呈现的视图中调用。由于客户端脚本不使用 URL 或回发,因此我对是否有人可以绕过控制器授权持怀疑态度。这些操作方法非常敏感,因为它提供了删除服务器上文件的能力。以下是 Remove 操作方法的代码。
[HttpPost]
public ActionResult Remove(string fileName)
{
string completFileName = Server.MapPath("~" + fileName);
System.IO.File.Delete(completFileName);
return Json(true);
}
尽管此操作方法驻留在具有授权的控制器中,但有人仍然可以在不登录的情况下访问它。我是否应该担心并做其他事情,或者在访问此内容之前始终需要被授权为管理员?
I have added the Authentication attribute on controller classes which are for admin purposes like adding, removing categories and product. All such controllers(ManageCategory, ManageProduct) are decorated with following :-
[Authorize(Roles = "Administrator")]
These controllers have Upload and Remove action methods which are invoked by jquery from the rendered view. Since client script don't use the URL or postback, I am bit skeptical if someone can bypass the controller authorization. These action methods are very sensitive because it provides the ability to remove a file on server. Following is the code from Remove action method.
[HttpPost]
public ActionResult Remove(string fileName)
{
string completFileName = Server.MapPath("~" + fileName);
System.IO.File.Delete(completFileName);
return Json(true);
}
Though this action method resides in a Controller with Authorization, Can someone still reach it without logging-in. Should i be worried and do something else or one will always need to be authorized as administrator before accessing this ?.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我不确定你的意思是什么..
来自客户端脚本的回发 AJAX 请求,因此发送 cookie 的方式与常规页面请求相同 - 使用 Firebug 或 Fiddler 或某些此类工具查看 AJAX 请求的标头。
这包括标准 ASP.NET 身份验证使用的 .ASPXAUTH cookie。控制器将对 AJAX 请求执行与对普通页面请求完全相同的身份验证检查。
I'm not sure what you mean by..
AJAX requests from client script send cookies just the same as regular page requests - have a look at the headers of an AJAX request using Firebug or Fiddler or some such tool.
This includes the .ASPXAUTH cookie which standard ASP.NET authentication uses. The controller will perform exactly the same authentication checks on an AJAX request as it would on a normal page request.
控制器级别属性应用于该控制器中的所有操作,因此
Upload()和Remove()的行为就像用以下内容修饰一样:Controller level attributes are applied to all actions in that controller, so
Upload()andRemove()will behave as though they are decorated with: