Messages
Reply
Edit
Delete07:35 am
3R70GABG0
| From: | Bill Caton |
| To: | Rick Strahl |
Ok, that's good info. We'll look at implementing this. Thanks for taking the time to provide it.
Bill
You can store files anywhere you like, but my general feeling is that it's OK to upload into the virtual folder structure as long as you disable direct access.
In general for uploads I use a temp folder to hold the files uploaded (/temp) with that folder having access denied for all unauthenticated or non-admin users. The application then copies the files to where they need to go when the upload completes. This may also be within the application structure, but typically some sort of post processing needs to happen especially with images.
Blocking the folder is as easy as adding a <location> tag into web.config:
<location path="admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location>
This denies all unauthenticated users to the uploads folder. You can play around with the authorization like denying everybody and allowing certain users or groups.
+++ Rick ---
We have an ASP.NET application that requires uploading and storing of files. A developer here wants to place the upload attachment folder within the application physical folder structure associated with the virtual directories.
I do not want to place it there due to the possibility of security issues. Are there accepted practices for the placement of application file upload folders? Is this documented anywhere?
Thanks,
Bill
