views:

695

answers:

5

I'm building a portal that will allow users to upload files. I need to make sure that these files do not contain viruses. My ideal solution would be to have the host OS AV keep a watch on temporary folders and scan any incoming files.

When a file is uploaded in ASP.Net 2, does it get written to disk in a temp folder, or is it persisted in memory? If it is written to disk, will IIS lock it so that the AV cannot remove it? And if it is written to disk, where?

+3  A: 

Are you using the ASP FileUpload server control?

If so it is loaded into the servers memory until you do something with it.

This is from MSDN;

There is no inherent limitation on where you can save uploaded files. However, to save the file, the ASP.NET process must have permission to create files in the location that you specify. In addition, your application might be configured to require an absolute path (not a relative path) for saving the file, which is a security measure.

Dominic
+6  A: 

I think the ideal way would be have an "Incoming" folder that has been given the necessary permissions for ASP.NET to save files. I have never encountered a situation where files remain locked even after you call SaveAs on the FileUpload control.

Note that the FileUpload control does not upload the file until you call SaveAs and this is when the file is persisted to disk on the server. It seems to hold all file contents in an HttpInputStream, which is written to disk when the SaveAs method is called.

The file(s) should then be free to be scanned by your AV application. In case an error occurs, you can give relevant feedback to the user.

Cerebrus
A: 

Just like Cerebrus I will tell you that the UploadFile control will NOT write anything to the disk drive unless you tell it to.

Andrei Rinea
+1  A: 

If you're serious about security, another related tip is to make certain the folder that you're saving files to is above the webroot so users cannot directly access it in any way. You can still give them the ability to delete their uploaded files with some database work, i.e. save the location and make sure each file is uniquely named (if the users are authenticating I just save the filename as USERNAME.XYZ where XYZ is the file's extension.

+2  A: 

Here's the actual dirt on how ASP.NET handles files. It's version dependant, but 2.0 and all subsequent versions do write uploads to disk before you get a chance to handle them. The above answers are actually wrong -- ASP.NET above 2.0 will write the file to disk. If you think about it, loading an upload into memory opens you to a DDOS hole as large files would take up increasing amounts of server memory. By version, here's how ASP.NET acts:

  • ASP.NET 1.0 and 1.1 loaded the whole request in memory before you could access it. This meant that large files could potentially fill all memory, causing exceptions and otherwise bringing down the server.

  • ASP.NET 2.0 introduced a disk caching scheme for uploads, again snagging the upload and processing it before client code can handle it. The temporary folder can be accessed as follows:

    string uploadFolder = Path.Combine(HttpRuntime.CodegenDirInternal, "uploads");

At least now it's cached to disk so you don't have the memory issues from 1.0 and 1.1, but you still can't access it until it's been fully retrieved.

begin plug

I've gotten a lot of experience in this area by developing my SlickUpload ASP.NET upload component. It bypasses all of the above issues for ASP.NET 1.1 and above by intercepting the upload before ASP.NET gets a chance to handle it and allowing you to direct it to a file, a database (e.g. SQL Server), or your own custom stream. It also provides an AJAX progress bar, templating and styling of the selection area, validation, and many other features.

Chris Hynes