Gaining access to local files from an ASP.Net page

[Dave Keen]

Hi all

I am writing a webpage which asks the user for the name of a picture
file, then reads the file, resizes if necessary and saves it to the
server. The code to read the file is...

' Set permissions for loaded file.
Dim FileIOPerm1 As
System.Security.Permissions.FileIOPermission
FileIOPerm1 = New
System.Security.Permissions.FileIOPermission(PermissionState.Unrestricted,
Me.File1.PostedFile.FileName())
FileIOPerm1.AllLocalFiles =
FileIOPermissionAccess.AllAccess
FileIOPerm1.Assert()

' Load file into memory.
Dim FullSizeImage As System.Drawing.Image
FullSizeImage =
System.Drawing.Image.FromFile(Me.File1.PostedFile.FileName())

Me.File1.PostedFile.FileName() holds the file name, which has the full
path, is valid and can be anywhere locally. This all works fine on my
development machine (without the need for the FileIOPermission object)
running direct from VS2003, but when run from the web I get the
following error...

Request for the permission of type
System.Security.Permissions.FileIOPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.

Now I can see the value of not making it easy to see local files from
any old webpage, so my question is how can this be achieved? As a
model I am thinking of Hotmail, where you can specfiy files as
attachments without going through any security hoops.

Thanks in advance.

Dave

 

[Dave Keen]

Hi Eliyahu

Thanks for your input. I already am using a file upload element on my
page...

<TABLE id="tblMain" cellSpacing="0" cellPadding="5" width="280"
border="0">
<TR>
<TD><asp:label id="lblSelectAFile" runat="server">Select a file to
upload</asp:label></TD>
</TR>
<TR>
<TD><input id="File1" style="WIDTH: 261px; HEIGHT: 22px" type="file"
size="24" name="File1" runat="server"></TD>
</TR>
<TR>
<TD align="center"><asp:button id="cmdUpload" runat="server"
Width="90px" Text="Upload" BackColor="#DFD799"></asp:button></TD>
</TR>
</TABLE>

This gives me the Browse button and works a treat, so I can effectively
see the directory structure etc. However it is once I have captured
the name of the file that I have problems in loading it up. Is there
some feature that I am missing?

Thanks

Dave

 

[Eliyahu Goldin]

Dave,

Your code is good on server side. It works on your development machine
because it's the server. You should use a file upload element <input
type=file ...>. It provides a file selection dialog with no need for extra
security setting.

 

[Eliyahu Goldin]

Once you selected the name, all you need is just to submit the form. The
file upload element will take care of uploading the file.

 

[Dave Keen]

Hi

OK, it seems I have tried to be too clever, and thought that simply
creating an image object using the filename of the upload file would be
OK, but it seems to invoke all those permission problems. Looks like I
will have to look into how to use the httppostedfile object instead.

Many thanks for your help.

Dave

 

[Guest]

Dave,
You got it. HttpPostedFile as I recall has a Stream property which you can
convert to either a byte array or use the Image.FromStream method at the
server.
Peter

 

[Dave Keen]

Hi All

For the benfit of those that come after me, here is the code I used to
get this to work. Basically I use the HTML File control to upload the
selected file into an image object FullSizeImage, then resize that
image as required, then saved the resized image to the server using the
name I want. The redirect command reloads the page, forcing the image
to appear. Hope this helps...

If Me.File1.PostedFile.FileName.Trim.Length = 0 Then
Me.lblUploadError.Text = "A file must be specified before
uploading."
Exit Sub
End If

Try
' Check that the uploaded file is the correct type
If Me.File1.PostedFile.ContentType <> "image/pjpeg" And
Me.File1.PostedFile.ContentType <> "image/x-png" Then
Me.lblUploadError.Text = "Upload failed - File is not a
recognised JPEG format"
Exit Sub
End If

' Make an image object of the uploaded file using a stream
Dim FullSizeImage As System.Drawing.Image
FullSizeImage =
System.Drawing.Image.FromStream(Me.File1.PostedFile.InputStream)

' Rotate the image, which should remove any embedded
thumbnails (such as those from digital camera images).
FullSizeImage.RotateFlip(RotateFlipType.Rotate180FlipNone)
FullSizeImage.RotateFlip(RotateFlipType.Rotate180FlipNone)

' The following two lines are necessary for the thumbnail
function to work
Dim DummyCallback As
System.Drawing.Image.GetThumbnailImageAbort
DummyCallback = New
System.Drawing.Image.GetThumbnailImageAbort(AddressOf DummyFunction)

' Get a resized copy of the image, keeping the proportions
the same.
Dim ResizedImage As System.Drawing.Image
Dim sinWidthReduction As Single = 1
Dim sinHeightReduction As Single = 1
If FullSizeImage.Width > 280 Then
' Too wide, so calculate reduction to fit
sinWidthReduction = 280 / FullSizeImage.Width
End If
If FullSizeImage.Height > 300 Then
' Too high, so calculate reduction to fit
sinHeightReduction = 300 / FullSizeImage.Height
End If
If sinHeightReduction < 1 Or sinWidthReduction < 1 Then
' Resizing is necessary, so do it
If sinHeightReduction < sinWidthReduction Then
ResizedImage =
FullSizeImage.GetThumbnailImage(FullSizeImage.Width *
sinHeightReduction, FullSizeImage.Height * sinHeightReduction,
DummyCallback, IntPtr.Zero)
Else
ResizedImage =
FullSizeImage.GetThumbnailImage(FullSizeImage.Width *
sinWidthReduction, FullSizeImage.Height * sinWidthReduction,
DummyCallback, IntPtr.Zero)
End If
Else
ResizedImage = FullSizeImage
End If

' Save the uploaded and resized image to the server
ResizedImage.Save(Server.MapPath("ProductImages/" &
Session("ProductID") & ".jpg"))
Me.lblUploadError.Text = "Upload successful"

' Post back form to force new image to display
Response.Redirect("MaintainProduct.aspx")
Catch ex As Exception
Me.lblUploadError.Text = "Upload failed - " & ex.Message
End Try

Public Function DummyFunction() As Boolean
' This is needed for the image resizing routine above.
Return False
End Function

Dave