如何安全是字符串sysPath =" C:/的Inetpub /虚拟主机/...& QUOT; [英] How Secure is string sysPath = "C:/Inetpub/vhosts/..."
问题描述
我有一个稍微详细一点的问题,文件上传的子域的主域名,我还挺解决了文件夹,但我只是不知道如何保护我的解决办法是。
I have a little more detailed question, FileUpload from Subdomain to Folder of Main Domain, which I kinda solved, but I'm just not sure how secure my solution is.
总之,登录的人可以上传文件,但他们的子域,文件将得到存储在父域的文件夹。所以我使用:
In short, a logged in person can upload files, but they're on subdomain and the files are getting stored in the parent domain's folders. So I'm using:
string sysPath = "C:/Inetpub/vhosts/domain.com/httpdocs/Uploads/Files/"
是可以接受的?
Is the acceptable?
推荐答案
我假设你问如果这些文件是从未经授权的访问安全。答案是不一定。这些文件是由任何能够猜测(或以其他方式获得)的路径中的文件进行访问。我建议将它们存储在Inetpub文件夹以外(类似于 C:\上传\ )。一旦你验证你的用户(即用户登录莫名其妙地),你可以流/发送的文件是这样的:
I'm assuming you're asking if these files are safe from unauthorized access. The answer is "Not really". Those files are accessible by anyone able to guess (or otherwise obtain) the path to the files. I'd recommend storing them outside of the Inetpub folder (Something like C:\Uploads\). Once you've authenticated your user (i.e. the user is logged in somehow) you can stream/send the file like this:
Response.Clear();
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Disposition", "attachment; filename=\"" + filename + "\"");
Response.TransmitFile(fullFilePath);
Response.End();
文件名仅仅是文件名,而不是完整的路径。
filename is just the file name, not the full path.
修改:多一点点的细节
当您上传的文件(如您的其他岗位描述)只是一定要在文件存储在不包括的Inetpub 的目录。所以,说你的用户上传名为 foo.gif 的文件。你要存放在 C:\上传\ foo.gif (在 upload.aspx )。现在,当有人访问 Download.aspx 运行下面的code:
When you upload the file (as described in your other post) just be sure to store the file in a directory that doesn't include Inetpub. So, say your user uploads a file called foo.gif. You'll want to store it at C:\Uploads\foo.gif (in your upload.aspx). Now when someone visits Download.aspx run the following code:
Response.Clear();
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Disposition", "attachment; filename="foo.gif");
Response.TransmitFile(@"C:\uploads\foo.gif");
Response.End();
我已经证明了价值很难codeD的清晰度。
I've shown the values hard coded for clarity.
这篇关于如何安全是字符串sysPath =" C:/的Inetpub /虚拟主机/...& QUOT;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
