uploading / downloading protected files in ASP.NET

[bryanp10]

I have a web application where the admin wants to be able to upload
arbitrary files on an admin page... and then have them accessible for
certain users. Easy enough eh?

The difficulty I'm having is serving up these files in a secure AND
browser-friendly way. I'm using Form authentication. I can't just
drop them in a website directory and show links to the files, because
then anyone could get at a file whose extension is not explicitly
protected by ASP.NET.

So... the option I came up with was to write a proxy page which just
uses Response.WriteFile() after some security checks. Well, that
works fine, but then the URL ends up being something like:

http://mysite.com/getfile?filename=file.doc

...and then of course the browser just dumps the raw bytes of the file,
it doesn't know that this is a .doc file its receiving like if the URL
had been http://mysidte.com/files/file.doc.

Any way to fix this? Do I send down a MIME-type header? If so, where
do I get that? Because the admin could upload any sort of document...
all I have is the file name, more or less. Is there any way to tell
IIS to handle ALL file types for a particular directory? That way
Forms authentication could protect everything?


Any suggestsions greatly appreciated.

 

[Laurent Bugnion, MVP]

Hi,

I have a web application where the admin wants to be able to upload
arbitrary files on an admin page... and then have them accessible for
certain users. Easy enough eh?

The difficulty I'm having is serving up these files in a secure AND
browser-friendly way. I'm using Form authentication. I can't just
drop them in a website directory and show links to the files, because
then anyone could get at a file whose extension is not explicitly
protected by ASP.NET.

So... the option I came up with was to write a proxy page which just
uses Response.WriteFile() after some security checks. Well, that
works fine, but then the URL ends up being something like:

http://mysite.com/getfile?filename=file.doc

That sounds like a good idea.

..and then of course the browser just dumps the raw bytes of the file,
it doesn't know that this is a .doc file its receiving like if the URL
had been http://mysidte.com/files/file.doc.

Actually, even when the browser receives a file.doc file, it doesn't
know what file it is. You are right that you must send a MIME type. The
MIME type is sent by IIS when you link to a DOC file directly. According
to the MIME type, the browser will decide what action he will use,
according to the user settings.

MIME type is set in the Response.ContentType property.
http://msdn2.microsoft.com/en-us/library/ms525208.aspx

Any way to fix this? Do I send down a MIME-type header? If so, where
do I get that? Because the admin could upload any sort of document...
all I have is the file name, more or less. Is there any way to tell
IIS to handle ALL file types for a particular directory? That way
Forms authentication could protect everything?

The MIME type cannot, as far as I know, be generated automatically. You
will need to create a table extension --> MIME type. Of course, it would
be a good idea to make this table a XML file (config file, or simply
external XML file) so that you or your user can dynamically add new
extensions/MIME type mapping information.

Any suggestsions greatly appreciated.

HTH,
Laurent

 

[bryanp10]

Well, ya learn something new every day... Not sure how I went this
long without realizing this. I also see that the HttpPostedFile
object has a ContentType property. So I can alternatively just save
that and push the same string back down when the file is downloaded.

Thanks for the help.

 

[Lit]

I save my file info to a database table along with the ContentType...
including the content.
that could eliminate or work the security concerns you have also.

Just an idea....