Bug or security concern related to upload of binary files and IHttpModule?

[Kenneth Myhra]

Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the
IHttpModule interface, that will authorize the request for certain binary
file types (GET), this is working fine. But we also want it to authorize the
upload of binary files (PUT), The problem with the PUT-scenario is that the
file is *not* uploaded when its extension *is* mapped up in IIS, by mapped
up I mean the Application Mappings displayed when clicking on the
configuration button on the property page for the [virtual folder]/[web
application] in question. We have tried this both with and without our
assembly running in the upload directory, the same happens either way, the
file is uploaded as long as its extension is *not* mapped up in IIS, when I
map up the extension I am no longer able upload files with that extension.
By running these tests we have verified that our code is not the black sheep
in the current scenario. So what I want to know is, could this be a bug? Or
is this a security concern and what I am trying to do is not allowed?

Regards,
Kenneth Myhra

 

[Hans Kesting]

Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the
IHttpModule interface, that will authorize the request for certain binary
file types (GET), this is working fine. But we also want it to authorize the
upload of binary files (PUT), The problem with the PUT-scenario is that the
file is *not* uploaded when its extension *is* mapped up in IIS, by mapped
up I mean the Application Mappings displayed when clicking on the
configuration button on the property page for the [virtual folder]/[web
application] in question. We have tried this both with and without our
assembly running in the upload directory, the same happens either way, the
file is uploaded as long as its extension is *not* mapped up in IIS, when I
map up the extension I am no longer able upload files with that extension.
By running these tests we have verified that our code is not the black sheep
in the current scenario. So what I want to know is, could this be a bug? Or
is this a security concern and what I am trying to do is not allowed?

Regards,
Kenneth Myhra

I have never used HTTP PUT, but I guess the reasoning is this:
when a file with a mapped extension (say "aspx") is uploaded and
stored, how should IIS know how to treat this file upon request?
As it has an aspx extension, it should be handled by the asp.net
subsystem, rather than just upload the contents.
So, even if you could disable security so upload is possible,
then you might not get the expected contents when you try to
retrieve it!
Maybe you could have an upload directory where no mappings
at all are defined?

Hans Kesting

 

[Kenneth Myhra]

Hi Hans thanks for your reply! I am not trying to upload .aspx files, which
I see now is not either possible when the mapping is in place, but .doc,
..zip and other binary files. I have manually set the mapping to these files
because I want to be able to authorize the put request by using an
IHttpModule instead of using a C++ ISAPI filter so the option of having an
upload directory where there are no mappings is not acceptable in the
current scenario, because I want the asp.net subsystem to handle the request
and initalize my IHttpModule so that I can authorize the request based on
session data. How would I go about to disable security for PUT requests, if
it is possible?

Regards,
Kenneth Myhra

Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the
IHttpModule interface, that will authorize the request for certain binary
file types (GET), this is working fine. But we also want it to authorize the
upload of binary files (PUT), The problem with the PUT-scenario is that the
file is *not* uploaded when its extension *is* mapped up in IIS, by mapped
up I mean the Application Mappings displayed when clicking on the
configuration button on the property page for the [virtual folder]/[web
application] in question. We have tried this both with and without our
assembly running in the upload directory, the same happens either way, the
file is uploaded as long as its extension is *not* mapped up in IIS,

when

I
map up the extension I am no longer able upload files with that extension.
By running these tests we have verified that our code is not the black sheep
in the current scenario. So what I want to know is, could this be a bug? Or
is this a security concern and what I am trying to do is not allowed?

Regards,
Kenneth Myhra

I have never used HTTP PUT, but I guess the reasoning is this:
when a file with a mapped extension (say "aspx") is uploaded and
stored, how should IIS know how to treat this file upon request?
As it has an aspx extension, it should be handled by the asp.net
subsystem, rather than just upload the contents.
So, even if you could disable security so upload is possible,
then you might not get the expected contents when you try to
retrieve it!
Maybe you could have an upload directory where no mappings
at all are defined?

Hans Kesting