Bug or security concern related to upload of binary files and IHttpModule?

Discussion in 'ASP .Net' started by Kenneth Myhra, Feb 16, 2004.

  1. Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the
    IHttpModule interface, that will authorize the request for certain binary
    file types (GET), this is working fine. But we also want it to authorize the
    upload of binary files (PUT), The problem with the PUT-scenario is that the
    file is *not* uploaded when its extension *is* mapped up in IIS, by mapped
    up I mean the Application Mappings displayed when clicking on the
    configuration button on the property page for the [virtual folder]/[web
    application] in question. We have tried this both with and without our
    assembly running in the upload directory, the same happens either way, the
    file is uploaded as long as its extension is *not* mapped up in IIS, when I
    map up the extension I am no longer able upload files with that extension.
    By running these tests we have verified that our code is not the black sheep
    in the current scenario. So what I want to know is, could this be a bug? Or
    is this a security concern and what I am trying to do is not allowed?

    Regards,
    Kenneth Myhra
    Kenneth Myhra, Feb 16, 2004
    #1
    1. Advertising

  2. Kenneth Myhra

    Hans Kesting Guest

    "Kenneth Myhra" <> wrote in message
    news:...
    > Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the
    > IHttpModule interface, that will authorize the request for certain binary
    > file types (GET), this is working fine. But we also want it to authorize

    the
    > upload of binary files (PUT), The problem with the PUT-scenario is that

    the
    > file is *not* uploaded when its extension *is* mapped up in IIS, by mapped
    > up I mean the Application Mappings displayed when clicking on the
    > configuration button on the property page for the [virtual folder]/[web
    > application] in question. We have tried this both with and without our
    > assembly running in the upload directory, the same happens either way, the
    > file is uploaded as long as its extension is *not* mapped up in IIS, when

    I
    > map up the extension I am no longer able upload files with that extension.
    > By running these tests we have verified that our code is not the black

    sheep
    > in the current scenario. So what I want to know is, could this be a bug?

    Or
    > is this a security concern and what I am trying to do is not allowed?
    >
    > Regards,
    > Kenneth Myhra
    >
    >


    I have never used HTTP PUT, but I guess the reasoning is this:
    when a file with a mapped extension (say "aspx") is uploaded and
    stored, how should IIS know how to treat this file upon request?
    As it has an aspx extension, it should be handled by the asp.net
    subsystem, rather than just upload the contents.
    So, even if you could disable security so upload is possible,
    then you might not get the expected contents when you try to
    retrieve it!
    Maybe you could have an upload directory where no mappings
    at all are defined?

    Hans Kesting
    Hans Kesting, Feb 16, 2004
    #2
    1. Advertising

  3. Hi Hans thanks for your reply! I am not trying to upload .aspx files, which
    I see now is not either possible when the mapping is in place, but .doc,
    ..zip and other binary files. I have manually set the mapping to these files
    because I want to be able to authorize the put request by using an
    IHttpModule instead of using a C++ ISAPI filter so the option of having an
    upload directory where there are no mappings is not acceptable in the
    current scenario, because I want the asp.net subsystem to handle the request
    and initalize my IHttpModule so that I can authorize the request based on
    session data. How would I go about to disable security for PUT requests, if
    it is possible?

    Regards,
    Kenneth Myhra

    "Hans Kesting" <> wrote in message
    news:...
    >
    > "Kenneth Myhra" <> wrote in message
    > news:...
    > > Hi all, We are trying to make an ISAPI Filter, in .NET by implementing

    the
    > > IHttpModule interface, that will authorize the request for certain

    binary
    > > file types (GET), this is working fine. But we also want it to authorize

    > the
    > > upload of binary files (PUT), The problem with the PUT-scenario is that

    > the
    > > file is *not* uploaded when its extension *is* mapped up in IIS, by

    mapped
    > > up I mean the Application Mappings displayed when clicking on the
    > > configuration button on the property page for the [virtual folder]/[web
    > > application] in question. We have tried this both with and without our
    > > assembly running in the upload directory, the same happens either way,

    the
    > > file is uploaded as long as its extension is *not* mapped up in IIS,

    when
    > I
    > > map up the extension I am no longer able upload files with that

    extension.
    > > By running these tests we have verified that our code is not the black

    > sheep
    > > in the current scenario. So what I want to know is, could this be a bug?

    > Or
    > > is this a security concern and what I am trying to do is not allowed?
    > >
    > > Regards,
    > > Kenneth Myhra
    > >
    > >

    >
    > I have never used HTTP PUT, but I guess the reasoning is this:
    > when a file with a mapped extension (say "aspx") is uploaded and
    > stored, how should IIS know how to treat this file upon request?
    > As it has an aspx extension, it should be handled by the asp.net
    > subsystem, rather than just upload the contents.
    > So, even if you could disable security so upload is possible,
    > then you might not get the expected contents when you try to
    > retrieve it!
    > Maybe you could have an upload directory where no mappings
    > at all are defined?
    >
    > Hans Kesting
    >
    >
    Kenneth Myhra, Feb 16, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Neil Zanella
    Replies:
    49
    Views:
    996
    Flash Gordon
    Feb 17, 2004
  2. puzzlecracker
    Replies:
    1
    Views:
    363
    Thomas Hawtin
    Sep 21, 2006
  3. Replies:
    1
    Views:
    371
  4. ziman137

    A concern about mixing C and C++

    ziman137, Jul 29, 2006, in forum: C Programming
    Replies:
    28
    Views:
    716
    Dave Thompson
    Aug 14, 2006
  5. Chapman

    Security concern to block Win32 API in ASP.NET?

    Chapman, Jul 28, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    134
    Chapman
    Jul 28, 2003
Loading...

Share This Page