I/O and Security Considerations

[Jerry]

My web app needs to write text and .jpg/.gif files to disk (e.g., the user
can upload photos which are then made available for viewing in the app's
pages). The folder(s) to which the files are written can be placed below the
site root (i.e., "in" the site), or above the site root.

The hosting provider I'm working with insists that the folder to which the
app writes files be placed outside of (above) the site root folder.

I'm just wondering what the security risk is of having the folder in the
site (i.e., below the site root folder).

Is my hosting provider following some well-accepted best practice; or does
it not really matter where the folders are as long as the NTFS permissions
are no more than necessary?

Thanks

 

[bruce barker]

your provider is correct. by putting application data files outside of the
vdir, only your app can access them, iis can not serve them up directly.

-- bruce (sqlwork.com)



| My web app needs to write text and .jpg/.gif files to disk (e.g., the user
| can upload photos which are then made available for viewing in the app's
| pages). The folder(s) to which the files are written can be placed below
the
| site root (i.e., "in" the site), or above the site root.
|
| The hosting provider I'm working with insists that the folder to which the
| app writes files be placed outside of (above) the site root folder.
|
| I'm just wondering what the security risk is of having the folder in the
| site (i.e., below the site root folder).
|
| Is my hosting provider following some well-accepted best practice; or does
| it not really matter where the folders are as long as the NTFS permissions
| are no more than necessary?
|
| Thanks
|
|