Menu
In my web application I remove these characters:
( < ,> ,: ," ,/ ,\ , | ,? ,* )
from my file download url to prevent Path traversal.
Is there any way for to bypass this?
Is it secure ?
590
Check out the following guide: http://msdn.microsoft.com/en-us/library/ff647397.aspx but the relevant parts to your problem are highlighted below.
If you must accept file names as input, use the full name of the file by using System.IO.Path.GetFileName.
also if you want to further secure your site:
Using Code Access Security to Restrict File I/O An administrator can restrict an application's file I/O to its own virtual directory hierarchy by configuring the application to run with Medium trust. In this event, .NET code access security ensures that no file access is permitted outside of the application's virtual directory hierarchy.
You configure an application to run with Medium trust by setting the element in Web.config or Machine.config.
<trust level="Medium" />
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
