tags:

views:

575

answers:

4
+1  Q: 

How to restrict download of specified file types

I want to restrict my web app so that .ini files can not be downloaded/shown. Is this something I can set up in my web.config file?

EDIT based on answer:
I tried this in my config file:

<system.web>
    <httpHandlers>
        <add verb="*" path="*.txt" type="System.Web.HttpForbiddenHandler" />
    </httpHandlers>
</system.web>

...but it had no effect. I am using IIS7 and application is .NET3.5, could this have something to do with it? I know this would actually work for .NEt 1.0 1.1 and 2.0.

I noticed in the documentation for this (add httpHandlers), the Requirements section:

Microsoft Internet Information Services (IIS) version 5.0, 5.1, or 6.0
The .NET Framework version 1.0, 1.1, or 2.0
Microsoft Visual Studio 2003 or Visual Studio 2005

...which indicates that this is not supported in .NET 3 and IIS7...

Where is this specified in IIS7?

+2  A: 

This is something you set in IIS, but it should be there by default already.

Colin  2009-09-01 14:52:23
You are right. ini files are already restricted. I was just picking an example, but was more interested in the principle, and if it was possible to do this in web.config in the application.
awe  2009-09-02 07:16:10
Can you point to where in IIS7 configuration this can be changed/added new etc..?
awe  2009-09-02 08:40:03
I suggest using the answer provided above, because that is app specific. in IIS you just remvoe the MIME type, but hten the filetype won't be seerved on the entire web server anymore, in any website running on that machine.
Colin  2009-09-02 09:03:46
A: 

Can you change these to .config? or .aspx?

Mark Redman  2009-09-01 15:06:59
+4  A: 

Take a look at this MS Support article on how to achieve this: HOW TO: Use ASP.NET to Protect File Types.

It involves setting up IIS to forward those requests to ASP.NET and then setting up your web.config to block the desired file types, such as:

<system.web>
    <httpHandlers>
        <add verb="*" path="*.ini" type="System.Web.HttpForbiddenHandler" />
    </httpHandlers>
</system.web>

According to the httpHandlers Element page, the following extensions are forbidden by default as of .NET 2.0 (.ini is not one of them):

*.asax, *.ascx, *.master, *.skin, *.browser, *.sitemap, *.config, *.cs, *.csproj, *.vb, *.vbproj, *.webinfo, *.licx, *.resx, *.resources, *.mdb, *.vjsproj, *.java, *.jsl, *.ldb, *.dsdgm, *.ssdgm, *.lsad, *.ssmap, *.cd, *.dsprototype, *.lsaprototype, *.sdm, *.sdmDocument, *.mdf, *.ldf

EDIT: this applies to IIS versions prior to IIS 7.0. IIS 7.0 adds an additional operating mode, called Integrated Mode (default for ASP.NET), which requires handlers to be placed in <system.webServer>/<handlers> instead of <system.web>/<httpHandlers>. I added some more info and links to @awe's answer on this page, check it out for more details.

Ahmad Mageed  2009-09-01 15:09:02
I was looking for something like this, but it doesn't work **:(** . I have changed my question to include your answer since this does not work either, but it is exactly what I want to work... Could it be that IIS7 does not respect this? Is it some settings in IIS7 that needs to be cahnged for this to work? My app is .NET 3.5.
awe  2009-09-02 08:24:27
+2  A: 

OK. I found out the problem. In .NET 3, this specified in a different section of the web.config file. Instead of <system.web><httpHandlers>, it is in <system.webServer><handlers> like this:

<system.webServer>
  <handlers>
    <add name="NoTxtAllowed" verb="*" path="*.txt" 
       type="System.Web.HttpForbiddenHandler" />
  </handlers>
</system.webServer>

Although this is the answer that did the trick for me, I have marked the answer from Ahmad Mageed as the answer, as he provided it before I added the version information for .NET 3 in my question. He also pointed me in the right direction to find the solution. Note that his answer is correct for all versions of .NET prior to 3.

EDIT: IIS 7.0 supports 2 modes, Integrated and Classic. Integrated is the default mode for ASP.NET apps on IIS 7.0 which require handlers to be placed in <system.webServer>/<handlers> instead of <system.web>/<httpHandlers> (this is supported by the Classic mode and prior IIS versions).

Helpful links regarding this issue:

awe  2009-09-02 09:12:26
@awe: +1, thanks for sharing. Some more info according to http://msdn.microsoft.com/en-us/library/46c5ddfy.aspx - "For IIS 6.0, you register the handler by using the httpHandlers section of the Web.config file. For IIS 7.0 running in Classic mode, you register the handler in the httpHandlers section, and you map the handler to the Aspnet_isapi.dll file. For IIS 7.0 running in Integrated mode, you register the handler by using the handlers element in the system.WebServer section." ASP.NET on IIS 7.0 runs in Integrated Mode by default.
Ahmad Mageed  2009-09-02 15:01:45
Great. Thanks for adding more info about this.
awe  2009-09-03 07:08:16

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps