App_Data文件 - Web应用程序的数据目录。安全性如何呢？ [英] App_Data - Web application's data directory. How secure is it?

问题描述

在MSDN文档中的很多地方都可以找到App_Data目录的引用。例如<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.authorizationstoreroleprovider.aspx\">here我们可以看到：

In many places in msdn documentation you can find references to App_Data directory. For example here we can read:

要在ASP.NET应用程序使用本地数据文件时提高安全性，你应该存储在App_Data目录中的数据文件。

To improve security when using a local data file in an ASP.NET application, you should store the data file in the App_Data directory.

和

存储在App_Data目录中的文件
  将不会投放到Web上。

Files stored in the App_Data directory will not be served to the Web.

我找不到这将指定如何是安全保障的直接参考。是否有任何IIS设置等，我应该注意，以确保我们把在App_Data目录中的文件突然不成为提供给大家。

I could not find a direct reference that would specify how is that security guaranteed. Are there any IIS settings etc. that I should watch out to ensure that the files we put in the App_Data directory suddenly do not become available to everyone.

推荐答案

该文件由一个被禁止的文件处理程序的保护。这是安全的，只要一切正在运行。有可能是，ASP.NET处理程序可以走下来只剩IIS上运行。在这种情况下，你的web.config文件和ASPX文件将担任连胜文的文件。

The files are protected by a forbidden file handler. That is safe so long as everything is running. There are possibilities that the ASP.NET handlers can go down leaving only IIS running. In those cases your web.config files and aspx files will be served as straight text files.

如果你的数据是不是真的敏感，它是存储数据的好地方。如果你有高度敏感的数据，将其存储在另一台机器上。

If you data isn't really sensitive, it is a good place to store data. If you have highly sensitive data, store it on another machine.

编辑：更多信息
你可以阅读更多关于禁止的文件处理程序在这里<一个href=\"http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx\">http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx.向下滚动，你会发现有在MDF中的根web.config文件中的条目。您通常位于C找到你的机器上的文件：\\ WINDOWS \\ Microsoft.NET \\框架\\ V2.0.50727 \\ CONFIG

More information You can read more about forbidden file handlers here http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx. Scrolling down you will notice there is an entry in the "root web.config" file for mdfs. You can typically find this file on your machine at C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

我找不到任何有关打倒asp.net，同时仍留有运行IIS太多信息，但如果你谷歌周围同类项要求下载的aspx或类似的东西，你可以找到有问题的人的报告（通常ASP.NET没有被正确配置），这将允许利用漏洞发生。我还没有看到这一点非常多，但它是可能的。

I couldn't find too much info about bringing down asp.net while still leaving iis running, but if you google around for terms like "asks to download aspx" or something like that you can find reports of people having issues (typically asp.net not being configured properly) which would allow for an exploit to occur. I haven't seen it happen very much, but it is possible.

这篇关于App_Data文件 - Web应用程序的数据目录。安全性如何呢？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！