tags:

views:

168

answers:

5
+1  Q: 

ASP.NET Web.config question

The server is IIS7.

Is there a way to disable web.config files in subfolders?

I am asking because, I have a folder on the web server that is for uploads. When someone uploads files, a new folder is created for the user's session and the files they upload go in the folder.

So the path to uploads would be like this: ~/uploads/3F2504E0-4F89-11D3-9A0C-0305E82C3301/somefile.txt

In the ~/uploads/ directory there is a web.config file that removes all http handlers except the static file handler and adds a wildcard mime type. So every file that a user uploads will only ever be served statically.

If a user uploads a web.config file, I want to disallow any of the settings in that file from being applied.

How can I do this?

EDIT

Could I just make the upload folder an application that is a member of an application pool configured to run in Classic mode instead of Integrated Pipeline mode? That way it wouldn't even care about a web.config file.

EDIT 2

Is there another type of webserver I could install for serving all files statically? I could just access the files through a different port. Is there some software that I can be sure wont run any scripts and is safe.

+3  A: 

I simply wouldn't allow them to upload a file with that name. In fact, I normally wouldn't trust any filename that the user gave me... makes a great candidate for an injection-style attack.

JMP  2009-08-14 16:24:02
+1 for re-naming files. If you want to "remember" the original file name, store it somewhere else.
Joel Coehoorn  2009-08-14 16:25:23
I have thought of that. That doesn't answer my question.
Ronnie Overby  2009-08-14 16:25:47
A: 

Obviously it could be done in code.

If the folders always exist, you could pre-populate with a web.config with no (significant) content and an ACL to ensure it cannot be overwritten, but looking at the path it I suspect you create the upload folders dynamically which means this would not work.

Richard  2009-08-14 16:25:37
Correct.
Ronnie Overby  2009-08-14 16:27:19
A: 

I don't believe there is a way to tell IIS not to use a web.config (but I could be wrong). Personally, I would add a check to my save code and rename the file.

Chris Brandsma  2009-08-14 16:25:39
A: 

Why not just check the filename first to prevent the user from uploading a file named web.config? You're probably going to want to check for other things too before allowing the upload - files that are too big, etc.

Nate  2009-08-14 16:30:17
I have thought of that. That doesn't answer my question.
Ronnie Overby  2009-08-14 16:31:22
+1  A: 

Ok I have a different angle on this...

What if your uploads folder was not part of the website and instead part of the file system? This way ASP.NET is not processing requests to the folder and thus web.config wouldn't be loaded by the ASP.NET runtime.

You'd have to give your app pool's account read/write access to the file system where these files are stored, but I think it better fits what you're trying to accomplish.

JMP  2009-08-14 16:34:18
But, I need to serve the files in the folder. I have thought about not having ASP.net serve requests (see my edit)
Ronnie Overby  2009-08-14 16:36:38
You'd have to add the ability to your app to grab the file from the file system and stream it to the user. You *could* copy the file from the file system to a "staging" area for the user, but then you open yourself up to the same injection-style attacks that you had in the first place.
JMP  2009-08-14 16:37:37
I have thought about that, too. But I kind of just wanted IIS to do it.
Ronnie Overby  2009-08-14 16:40:33
The problem with letting IIS do it is that you could be held hostage to any number of injection attacks, whether that be ASP.NET or classic ASP or (insert executing framework) unless I'm misunderstanding your edit.
JMP  2009-08-14 16:43:13
How could code be executed if there are no HTTP Handlers? Every request will be mapped to the static file handler.
Ronnie Overby  2009-08-14 16:44:55
It looks like this is the way to go!
Ronnie Overby  2009-08-14 16:57:03

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps