当前位置: 文江博客话题详情

通过键入URL来防止直接访问文件夹文件

发布于 2025-01-23 03:44:29 字数 471 浏览 4 评论 0原文

IIS上有一个ASP.NET WebForm应用程序。项目文件夹中有PDF和图像文件,称为上传。

可以通过Web应用程序中的链接访问上传文件夹中的这些文件。用户正在通过数据库中存储的用户名和密码进行身份验证。

任何人都可以通过在浏览器中键入URL(示例:https // myapplication.com/uploads/uploads/uploads/uploads.pdf)来访问PDF和图像文件,而无需登录系统。

有没有办法限制URL,以便只登录用户才能访问它们?

我试图拒绝文件夹上的iusr用户的读取访问,但它停止登录用户以查看文件。

原文

There is a asp.net webform application hosted on IIS. There are pdf and image files in the project folder called upload.

Those files in the upload folder can be accessed through the link in the web application. Users are being Authenticated via username and password which are stored in the database.

Anyone can access the pdf and image files by typing the URL (example: https//myapplication.com/uploads/11%20pics.pdf) in the browser without logging into the system.

Is there a way to restrict the URL so that only logged in users can access them?

I have tried to Deny the Read access for IUSR user on the folder but it stops logged in users to view the file.

enter image description here

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

缪败 2025-01-30 03:44:29

实际上,这是一种简单的方法?

既然您永远不希望任何用户或任何人输入该URL?

然后只需在该文件夹上使用Internet安全设置即可。请记住,背后的代码不使用基于Web的URL,更重要的是也不尊重IIS(基于Web的)URL安全设置!!!

后面的代码始终使用Jane简单的Windows文件名。

您可以尝试弄乱Actaul文件夹权利,但您确实不需要。

您要做的就是使用基于Web的Secuirty设置“拒绝”所有用户。您可以通过将Web配置文件放入与UploadFiles文件夹相同的文件夹中来轻松执行此操作。

因此,只需像您这样做的那样放入Web配置中,以根据所示角色保护所有文件夹,然后在此删除:

  <?xml version="1.0" encoding="utf-8"?>
  <configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </configuration>

因此,现在,如果有人尝试输入URL,则将被拒绝访问该文件夹。

但是,您背后的代码不在乎,不使用,并且对URL的代码很明显,并且您使用的IIS Security(web.config)文件。

您的代码在100%背后忽略了登录权,包括角色模因等。

因此,在后面的代码中,我仍然可以自由打开 +阅读,并做任何事情。

    Dim strFileURL As String = "~/UpLoadFiles/def.txt"
    Dim strInternalFile As String = Server.MapPath(strFileURL)


    Dim strbuf As String

    strbuf = File.ReadAllText(strInternalFile)

    Debug.Print(Len(strbuf))

但是,您没有提及那些假设的“链接”。因为如果我们从所有用户中保护该文件夹,那么用户当然不能使用超级链接。

但是,这并不是什么大不了的,因为如果您在数据库中驱动上加载的文件 - 用户说,然后代替“链接”下载文件,只需读取并将文件读取给用户。

因此,说我们有:

我不知道您是仅保存文件名还是数据库中的整个路径名。

但是,这样说一个简单的网格:

<asp:GridView ID="Gfiles" runat="server" 
    DataKeyNames="ID" AutoGenerateColumns="False"  CssClass="table" >
    <Columns>
        <asp:BoundField  DataField="FileName" HeaderText="FileName"  />
        <asp:BoundField  DataField="Size" HeaderText="Size"  />
        <asp:BoundField  DataField="UpLoadTime" HeaderText="UpLoadTime"  />

        <asp:TemplateField HeaderText ="Download" ItemStyle-HorizontalAlign="Center">
            <ItemTemplate>
                <asp:Button ID="cmdDownLoad" runat="server" 
                    Text="Download" CssClass="btn"
                    OnClick="cmdDownLoad_Click"
                    />
            </ItemTemplate>
        </asp:TemplateField>
    </Columns>
</asp:GridView>

然后说这样的负载:

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click

    Dim strSQL As String = "SELECT * FROM MyUpLoadFiles ORDER BY UpLoadTime"
    Dim cmdSQL As New SqlCommand(strSQL)

    Gfiles.DataSource = MyRstP(cmdSQL)
    Gfiles.DataBind()
    ' hide up-loader
    AjaxFileUpload1.Visible = False

End Sub

Public Function MyRstP(cmdSQL As SqlCommand) As DataTable

    Dim rstData As New DataTable
    Using cmdSQL
        Using conn = New SqlConnection(My.Settings.TEST4)
            cmdSQL.Connection = conn
            conn.Open()
            rstData.Load(cmdSQL.ExecuteReader)
        End Using
    End Using
    Return rstData

End Function

我们现在有这样的加载:

“在此处输入图像说明”

因此,我们不使用超链接进行下载。

我们从该数据库获取文件名 - 。

说,就像这个网格视图行的“对接点击事件”

Protected Sub cmdDownLoad_Click(sender As Object, e As EventArgs)

    Dim btn As Button = sender
    Dim gRow As GridViewRow = btn.NamingContainer

    Dim sFile As String = gRow.Cells(0).Text

    Dim sInternalFile = Server.MapPath("~/UpLoadFiles/" & sFile)
    ' now stream file down to browser
    If File.Exists(sInternalFile) Then

        Dim strConType As String = MimeMapping.GetMimeMapping(sInternalFile)

        Dim binFile As Byte() = File.ReadAllBytes(sInternalFile)
        Response.ContentType = strConType
        Response.AppendHeader("Content-Disposition", "attachment; filename=" + sFile)
        Response.BinaryWrite(binFile)
        Response.End()

    End If

End Sub

,因此,现在我们可以防止URL - 实际上,甚至不必揭露我们将文件藏起来的位置。我们只显示文件名,但是路径名和文件夹?永远不会暴露。

当然,您将根据“用户ID”或其他类似内容加载文件网格。

并请注意,您确实必须包括“矿山”映射类型。这确实需要.NET 4.5或更高版本。
(或者您可以保存在数据库列中)。

Actually, a much simple way to do this?

since you NEVER want any user or anyone to type in that URL?

Then just use internet security settings on that folder. Remember, code behind does NOT use the web based URL's, and MORE important does not respect the IIS (web based) URL security settings either!!!

Code behind always uses plane jane simple windows file names.

You can try and mess around with actaul folder rights, but you really don't need to.

All you have to do is "deny" any and all users by using the Web based secuirty settings. You can easy do that by dropping in a web config file into the same folder as the UpLoadFiles folder.

Hence, just drop in a web config like you do to secure all folders based on say role, and drop in this:

  <?xml version="1.0" encoding="utf-8"?>
  <configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </configuration>

So, now, if any one try's to type in a url - they will be denied access to that folder.

but, your code behind does NOT care, does NOT use, and is obvious to the URL's and that IIS security (web.config) file you use.

Your code behind 100% ignores the logon rights - including role memebership etc.

So, in code behind, I can still freely open + read, and do whatever.

    Dim strFileURL As String = "~/UpLoadFiles/def.txt"
    Dim strInternalFile As String = Server.MapPath(strFileURL)


    Dim strbuf As String

    strbuf = File.ReadAllText(strInternalFile)

    Debug.Print(Len(strbuf))

However, you don't mention how those supposed "links" you have. Since if we secure that folder from all users, then of course users can't use a hyper link.

but, that's not really a big deal, since if you driving the up-loaded files in a database - say by users, then in place of say a "link" to download the file, just read and stream out the file to the user.

So, say we have this:

I don't know if you save JUST the file name, or the whole path name in the database.

But, say a simple grid like this:

<asp:GridView ID="Gfiles" runat="server" 
    DataKeyNames="ID" AutoGenerateColumns="False"  CssClass="table" >
    <Columns>
        <asp:BoundField  DataField="FileName" HeaderText="FileName"  />
        <asp:BoundField  DataField="Size" HeaderText="Size"  />
        <asp:BoundField  DataField="UpLoadTime" HeaderText="UpLoadTime"  />

        <asp:TemplateField HeaderText ="Download" ItemStyle-HorizontalAlign="Center">
            <ItemTemplate>
                <asp:Button ID="cmdDownLoad" runat="server" 
                    Text="Download" CssClass="btn"
                    OnClick="cmdDownLoad_Click"
                    />
            </ItemTemplate>
        </asp:TemplateField>
    </Columns>
</asp:GridView>

And say load up like this:

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click

    Dim strSQL As String = "SELECT * FROM MyUpLoadFiles ORDER BY UpLoadTime"
    Dim cmdSQL As New SqlCommand(strSQL)

    Gfiles.DataSource = MyRstP(cmdSQL)
    Gfiles.DataBind()
    ' hide up-loader
    AjaxFileUpload1.Visible = False

End Sub

Public Function MyRstP(cmdSQL As SqlCommand) As DataTable

    Dim rstData As New DataTable
    Using cmdSQL
        Using conn = New SqlConnection(My.Settings.TEST4)
            cmdSQL.Connection = conn
            conn.Open()
            rstData.Load(cmdSQL.ExecuteReader)
        End Using
    End Using
    Return rstData

End Function

And we now have this:

enter image description here

So, we do NOT use a hyper-link for the download.

We fetch the file name - from that database.

Say, like this buttion click event for the grid view row

Protected Sub cmdDownLoad_Click(sender As Object, e As EventArgs)

    Dim btn As Button = sender
    Dim gRow As GridViewRow = btn.NamingContainer

    Dim sFile As String = gRow.Cells(0).Text

    Dim sInternalFile = Server.MapPath("~/UpLoadFiles/" & sFile)
    ' now stream file down to browser
    If File.Exists(sInternalFile) Then

        Dim strConType As String = MimeMapping.GetMimeMapping(sInternalFile)

        Dim binFile As Byte() = File.ReadAllBytes(sInternalFile)
        Response.ContentType = strConType
        Response.AppendHeader("Content-Disposition", "attachment; filename=" + sFile)
        Response.BinaryWrite(binFile)
        Response.End()

    End If

End Sub

So, now we prevent url's - and in fact NEVER have to even expose where we tucked away the files. We only ever display the file name, but the path name and folder? Never exposed.

Of course, you would load the grid of files based on "user id" or some such.

And note that you DO have to include the "mine" mapping type. This does require .net 4.5 or later.
(or you can save the mine type in a database column).

回复 原文
~没有更多了~

关于作者

酒解孤独

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

眼泪淡了忧伤

文章 0 评论 0

corot39

文章 0 评论 0

守护在此方

文章 0 评论 0

github_3h15MP3i7

文章 0 评论 0

相思故

文章 0 评论 0

滥情空心

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文