List files from directory
3 views
Skip to first unread message
nag
Jul 1, 2009, 9:41:43 AM7/1/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
hii
im listing files from directory..here is my code
i feel its nt a secure code
Is anyone knw secure code please let me knw
void Page_Load(object sender, EventArgs e)
{
string dirname = Session["projectid"].ToString();
string Path = Server.MapPath(".") + "\\" + dirname;
DirectoryInfo dirInfo = new DirectoryInfo(Path);
articleList.DataSource = dirInfo.GetFiles("*.*");
articleList.DataBind();
}
<asp:DataGrid runat="server" id="articleList" Font-Name="Verdana"
AutoGenerateColumns="False" AlternatingItemStyle-
BackColor="#eeeeee"
HeaderStyle-BackColor="Navy" HeaderStyle-ForeColor="White"
HeaderStyle-Font-Size="15pt" HeaderStyle-Font-Bold="True">
<Columns>
<asp:HyperLinkColumn DataNavigateUrlField="Name"
DataTextField="Name"
HeaderText="File Name" />
<asp:BoundColumn DataField="LastWriteTime" HeaderText="Last Write
Time"
ItemStyle-HorizontalAlign="Center" DataFormatString="{0:d}" />
<asp:BoundColumn DataField="Length" HeaderText="File Size"
ItemStyle-HorizontalAlign="Right"
DataFormatString="{0:#,### bytes}" />
</Columns>
</asp:DataGrid>
im listing files from directory..here is my code
i feel its nt a secure code
Is anyone knw secure code please let me knw
void Page_Load(object sender, EventArgs e)
{
string dirname = Session["projectid"].ToString();
string Path = Server.MapPath(".") + "\\" + dirname;
DirectoryInfo dirInfo = new DirectoryInfo(Path);
articleList.DataSource = dirInfo.GetFiles("*.*");
articleList.DataBind();
}
<asp:DataGrid runat="server" id="articleList" Font-Name="Verdana"
AutoGenerateColumns="False" AlternatingItemStyle-
BackColor="#eeeeee"
HeaderStyle-BackColor="Navy" HeaderStyle-ForeColor="White"
HeaderStyle-Font-Size="15pt" HeaderStyle-Font-Bold="True">
<Columns>
<asp:HyperLinkColumn DataNavigateUrlField="Name"
DataTextField="Name"
HeaderText="File Name" />
<asp:BoundColumn DataField="LastWriteTime" HeaderText="Last Write
Time"
ItemStyle-HorizontalAlign="Center" DataFormatString="{0:d}" />
<asp:BoundColumn DataField="Length" HeaderText="File Size"
ItemStyle-HorizontalAlign="Right"
DataFormatString="{0:#,### bytes}" />
</Columns>
</asp:DataGrid>
Brandon Betances
Jul 1, 2009, 9:58:14 AM7/1/09
to DotNetDe...@googlegroups.com
Looks fine to me.
Processor Devil
Jul 1, 2009, 11:14:47 AM7/1/09
to DotNetDe...@googlegroups.com
ok, I will try to solve it :)
So There is the nice Server method Server.MapPath, which give you current working directory. So path is then current_dir\dirname
Are you scared that someone can use it to get out of server directory and list your local folders?
Well, ok, Directory Travelsal (that is the name of the exploit), is really very well known and I don't think that .NET would allow you to do this. If you don't trust me, just try it yourself or instead of MapPath use your constant.
2009/7/1 nag <nage...@gmail.com>
Processor Devil
Jul 1, 2009, 9:58:33 AM7/1/09
to DotNetDe...@googlegroups.com
Cerebrus
Jul 1, 2009, 12:04:45 PM7/1/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
As others have said, first tell us what about the code you believe is
not secure. Or is it just *you* that's being insecure ?
not secure. Or is it just *you* that's being insecure ?
Cerebrus
Jul 1, 2009, 12:15:06 PM7/1/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
Directory Traversal... also known as the Canonicalization attack. Very
good! ;-)
good! ;-)
nag
Jul 2, 2009, 12:49:59 AM7/2/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
the files which i listed in grid is as downlink ..that link wil be
available on addressbar
is it possible to mask that path?????????????
> > Is anyone knw secure code please let me knw- Hide quoted text -
>
> - Show quoted text -
available on addressbar
is it possible to mask that path?????????????
>
> - Show quoted text -
nag
Jul 2, 2009, 12:50:16 AM7/2/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
the files which i listed in grid is as downlink ..that link wil be
available on addressbar
is it possible to mask that path?????????????
On Jul 1, 6:58 pm, Brandon Betances <bbetan...@gmail.com> wrote:
available on addressbar
is it possible to mask that path?????????????
> Looks fine to me.
Processor Devil
Jul 2, 2009, 2:59:06 AM7/2/09
to DotNetDe...@googlegroups.com
nag
Jul 3, 2009, 4:28:53 AM7/3/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
ahahha hmmm...nice jke.. ( :
> 2009/7/1 Cerebrus <zorg...@sify.com>
> > > constant.- Hide quoted text -
> 2009/7/1 Cerebrus <zorg...@sify.com>
Processor Devil
Jul 3, 2009, 4:35:25 AM7/3/09
to DotNetDe...@googlegroups.com
nag
Jul 4, 2009, 1:11:50 AM7/4/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
here in my following code im listing files from dynamically created
folder (folder name is userid of the user)
i can get all files in grid...
bt im nt getting virtual path of file
in grid im getting link like this
http://www.site.com/pcs/admin/testt.doc
but actaul file path is
http://www.site.com/pcs/admin/1/testt.doc
void Page_Load(object sender, EventArgs e)
{
string dirname = Session["projectid"].ToString();
string Path = Server.MapPath(".") + "\\" + dirname;
DirectoryInfo dirInfo = new DirectoryInfo(Path);
articleList.DataSource = dirInfo.GetFiles("*.*");
articleList.DataBind();
}
<asp:DataGrid runat="server" id="articleList" Font-Name="Verdana"
AutoGenerateColumns="False" AlternatingItemStyle-
BackColor="#eeeeee"
HeaderStyle-BackColor="Navy" HeaderStyle-ForeColor="White"
HeaderStyle-Font-Size="15pt" HeaderStyle-Font-Bold="True">
<Columns>
<asp:HyperLinkColumn DataNavigateUrlField="Name"
DataTextField="Name"
HeaderText="File Name" />
<asp:BoundColumn DataField="LastWriteTime" HeaderText="Last Write
Time"
ItemStyle-HorizontalAlign="Center" DataFormatString="{0:d}" /
>
<asp:BoundColumn DataField="Length" HeaderText="File Size"
ItemStyle-HorizontalAlign="Right"
DataFormatString="{0:#,### bytes}" />
</Columns>
</asp:DataGrid>
> > > - Show quoted text -- Hide quoted text -
folder (folder name is userid of the user)
i can get all files in grid...
bt im nt getting virtual path of file
in grid im getting link like this
http://www.site.com/pcs/admin/testt.doc
but actaul file path is
http://www.site.com/pcs/admin/1/testt.doc
void Page_Load(object sender, EventArgs e)
{
string dirname = Session["projectid"].ToString();
string Path = Server.MapPath(".") + "\\" + dirname;
DirectoryInfo dirInfo = new DirectoryInfo(Path);
articleList.DataSource = dirInfo.GetFiles("*.*");
articleList.DataBind();
}
<asp:DataGrid runat="server" id="articleList" Font-Name="Verdana"
AutoGenerateColumns="False" AlternatingItemStyle-
BackColor="#eeeeee"
HeaderStyle-BackColor="Navy" HeaderStyle-ForeColor="White"
HeaderStyle-Font-Size="15pt" HeaderStyle-Font-Bold="True">
<Columns>
<asp:HyperLinkColumn DataNavigateUrlField="Name"
DataTextField="Name"
HeaderText="File Name" />
<asp:BoundColumn DataField="LastWriteTime" HeaderText="Last Write
Time"
ItemStyle-HorizontalAlign="Center" DataFormatString="{0:d}" /
>
<asp:BoundColumn DataField="Length" HeaderText="File Size"
ItemStyle-HorizontalAlign="Right"
DataFormatString="{0:#,### bytes}" />
</Columns>
</asp:DataGrid>
On Jul 3, 1:35 pm, Processor Devil <processor.de...@gmail.com> wrote:
> ok, so why do you think it is unsecure? :P
>
> 2009/7/3 nag <nagesh...@gmail.com>
> ok, so why do you think it is unsecure? :P
>
Cerebrus
Jul 4, 2009, 2:24:43 AM7/4/09
to DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting
Well, a simple way would be to simply provide a LinkButton that says
"Download file" (or whatever) and invokes a Command on the server. In
this eventhandler, you can query the Command parameters and force a
file to be sent in the response. This way, your actual file location
is never revealed to the user.
Another way would be to create an HttpHandler that intercepts requests
for .doc files and allows the URL to be changed to the actual file
location.
On Jul 4, 10:11 am, nag <nagesh...@gmail.com> wrote:
> here in my following code im listing files from dynamically created
> folder (folder name is userid of the user)
> i can get all files in grid...
> bt im nt getting virtual path of file
> in grid im getting link like thishttp://www.site.com/pcs/admin/testt.doc
"Download file" (or whatever) and invokes a Command on the server. In
this eventhandler, you can query the Command parameters and force a
file to be sent in the response. This way, your actual file location
is never revealed to the user.
Another way would be to create an HttpHandler that intercepts requests
for .doc files and allows the URL to be changed to the actual file
location.
On Jul 4, 10:11 am, nag <nagesh...@gmail.com> wrote:
> here in my following code im listing files from dynamically created
> folder (folder name is userid of the user)
> i can get all files in grid...
> bt im nt getting virtual path of file
Reply all
Reply to author
Forward
0 new messages