ok, I will try to solve it :) So There is the nice Server method Server.MapPath, which give you current working directory. So path is then current_dir\dirname Are you scared that someone can use it to get out of server directory and list your local folders? Well, ok, Directory Travelsal (that is the name of the exploit), is really very well known and I don't think that .NET would allow you to do this. If you don't trust me, just try it yourself or instead of MapPath use your constant.
> Well, ok, Directory Travelsal (that is the name of the exploit), is really
> very well known and I don't think that .NET would allow you to do this. If
> you don't trust me, just try it yourself or instead of MapPath use your
> constant.
> As others have said, first tell us what about the code you believe is
> not secure. Or is it just *you* that's being insecure ?
> On Jul 1, 6:41 pm, nag <nagesh...@gmail.com> wrote:
> > hii
> > im listing files from directory..here is my code
> > i feel its nt a secure code
> > Is anyone knw secure code please let me knw- Hide quoted text -
> Directory Traversal... also known as the Canonicalization attack. Very > good! ;-)
> On Jul 1, 8:14 pm, Processor Devil <processor.de...@gmail.com> wrote: > > Well, ok, Directory Travelsal (that is the name of the exploit), is > really > > very well known and I don't think that .NET would allow you to do this. > If > > you don't trust me, just try it yourself or instead of MapPath use your > > constant.
> > Directory Traversal... also known as the Canonicalization attack. Very
> > good! ;-)
> > On Jul 1, 8:14 pm, Processor Devil <processor.de...@gmail.com> wrote:
> > > Well, ok, Directory Travelsal (that is the name of the exploit), is
> > really
> > > very well known and I don't think that .NET would allow you to do this.
> > If
> > > you don't trust me, just try it yourself or instead of MapPath use your
> > > constant.- Hide quoted text -
> > > Directory Traversal... also known as the Canonicalization attack. Very > > > good! ;-)
> > > On Jul 1, 8:14 pm, Processor Devil <processor.de...@gmail.com> wrote: > > > > Well, ok, Directory Travelsal (that is the name of the exploit), is > > > really > > > > very well known and I don't think that .NET would allow you to do > this. > > > If > > > > you don't trust me, just try it yourself or instead of MapPath use > your > > > > constant.- Hide quoted text -
> > > > Directory Traversal... also known as the Canonicalization attack. Very
> > > > good! ;-)
> > > > On Jul 1, 8:14 pm, Processor Devil <processor.de...@gmail.com> wrote:
> > > > > Well, ok, Directory Travelsal (that is the name of the exploit), is
> > > > really
> > > > > very well known and I don't think that .NET would allow you to do
> > this.
> > > > If
> > > > > you don't trust me, just try it yourself or instead of MapPath use
> > your
> > > > > constant.- Hide quoted text -
Well, a simple way would be to simply provide a LinkButton that says
"Download file" (or whatever) and invokes a Command on the server. In
this eventhandler, you can query the Command parameters and force a
file to be sent in the response. This way, your actual file location
is never revealed to the user.
Another way would be to create an HttpHandler that intercepts requests
for .doc files and allows the URL to be changed to the actual file
location.
On Jul 4, 10:11 am, nag <nagesh...@gmail.com> wrote:
> here in my following code im listing files from dynamically created
> folder (folder name is userid of the user)
> i can get all files in grid...
> bt im nt getting virtual path of file
> in grid im getting link like thishttp://www.site.com/pcs/admin/testt.doc > but actaul file path ishttp://www.site.com/pcs/admin/1/testt.doc
|
