Hi all,
If in an ASP program, I need to display a pdf file link for users to print
and read. Is there any security issue? We are thinking about doing this is
many mail servers block emails with pdf file attachment. We just try to give
an opportunity to users to print the document themselves instead of
completely depending on email delivery.
Thank you.
--
Betty
20  1562 
=?Utf-8?B?YzY3NjIyOA= =?= wrote on 31 jan 2007 in
microsoft.publi c.inetserver.as p.general:
If in an ASP program, I need to display a pdf file link for users to
print and read. Is there any security issue? We are thinking about
doing this is many mail servers block emails with pdf file attachment.
We just try to give an opportunity to users to print the document
themselves instead of completely depending on email delivery.
You van just put the pdf file on the website, and as long as your users do
not divulge the address, it is safe, just as safe as if you send them the
file and they can send it to anyone other.
You could put the file behind a password, using ASP.
Showing the content of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste. So it is
not a generice pdf file. Could you explain a little more "Showing the content
of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show." I don't get it yet.
Thank you.
--
Betty
"Evertjan." wrote:
=?Utf-8?B?YzY3NjIyOA= =?= wrote on 31 jan 2007 in
microsoft.publi c.inetserver.as p.general:
If in an ASP program, I need to display a pdf file link for users to
print and read. Is there any security issue? We are thinking about
doing this is many mail servers block emails with pdf file attachment.
We just try to give an opportunity to users to print the document
themselves instead of completely depending on email delivery.
You van just put the pdf file on the website, and as long as your users do
not divulge the address, it is safe, just as safe as if you send them the
file and they can send it to anyone other.
You could put the file behind a password, using ASP.
Showing the content of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
=?Utf-8?B?YzY3NjIyOA= =?= wrote on 31 jan 2007 in
microsoft.publi c.inetserver.as p.general:
>You can place a dummy index.asp or switch the IIS to no show." I
don't get it yet.
[Please do not toppost on usenet]
The pdf file is unique to every user who purchased on our web iste. So
it is not a generice pdf file.
That does not matter, if the pdf file has a location in one of your web
directories, it can be reached from the web if you tell your customer where
it is in a link you sent him.
Could you explain a little more
"Showing the content of a directory is not necessary at all.
Why would it be necessary? Why would you plan to show it?
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
"c676228" <be****@communi ty.nospamwrote in message
news:50******** *************** ***********@mic rosoft.com...
Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste. So it
is
not a generice pdf file. Could you explain a little more "Showing the
content
of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show." I don't
get it yet.
>
Is it important to restrict users to seeing only their reports and not
others?
I'll guess yes.
In that case you definitely will not want to give directory browsing to the
users.
Do these users receiving the email have a username and password they need to
use to access the web site?
If so then email them a link which requires them to enter their username and
password before redirecting to the PDF.
If not then email then some form of security can be acheived by incluing a
GUID in the a link to the PDF.
Anthony.
Anthony Jones wrote on 01 feb 2007 in
microsoft.publi c.inetserver.as p.general:
>
"c676228" <be****@communi ty.nospamwrote in message
news:50******** *************** ***********@mic rosoft.com...
>Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste.
So it
is
>not a generice pdf file. Could you explain a little more "Showing the
content
>of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show." I
don't
get it yet.
>>
Is it important to restrict users to seeing only their reports and not
others?
I'll guess yes.
In that case you definitely will not want to give directory browsing
to the users.
Do these users receiving the email have a username and password they
need to use to access the web site?
If so then email them a link which requires them to enter their
username and password before redirecting to the PDF.
If not then email then some form of security can be acheived by
incluing a GUID in the a link to the PDF.
A fairly safe way is to use a use-once-web-address.
So the client giving away the address would not be very usefull.
How?
Make an ASP file with an unique name, like http://domain.xyz/useoncedir/user+pa...thepdfname.asp
Program it to download the pdf using a bitstream,
and immediately, or after a fixed time, say 10 minutes,
delete that asp file. The pdf location is kept secret.
The whole thing can be made virtual using a custom 404.asp,
catching all requests for: http://domain.xyz/useoncedir/
so that the asp file does not have to exist,
and the virtual asp file could even be named: http://domain.xyz/useoncedir/user+pa...thepdfname.pdf
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
"Evertjan." <ex************ **@interxnl.net wrote in message
news:Xn******** ************@19 4.109.133.242.. .
Anthony Jones wrote on 01 feb 2007 in
microsoft.publi c.inetserver.as p.general:
"c676228" <be****@communi ty.nospamwrote in message
news:50******** *************** ***********@mic rosoft.com...
Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste.
So it
is
not a generice pdf file. Could you explain a little more "Showing the
content
of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show." I
don't
get it yet.
>
Is it important to restrict users to seeing only their reports and not
others?
I'll guess yes.
In that case you definitely will not want to give directory browsing
to the users.
Do these users receiving the email have a username and password they
need to use to access the web site?
If so then email them a link which requires them to enter their
username and password before redirecting to the PDF.
If not then email then some form of security can be acheived by
incluing a GUID in the a link to the PDF.
A fairly safe way is to use a use-once-web-address.
So the client giving away the address would not be very usefull.
How?
Make an ASP file with an unique name, like
http://domain.xyz/useoncedir/user+pa...thepdfname.asp
Program it to download the pdf using a bitstream,
and immediately, or after a fixed time, say 10 minutes,
delete that asp file. The pdf location is kept secret.
The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/
so that the asp file does not have to exist,
and the virtual asp file could even be named:
http://domain.xyz/useoncedir/user+pa...thepdfname.pdf
One Caveat, I would not send out URL in an email that include the users
name and password. Use a GUID it's unique.
If there is an additonal requirement that we don't want the user to view the
content and then later view it again (or give the URL to someone else to
view which seems a bit draconian to me) then you can still use an ASP file
to deliver the content but limit the time the content can be view after
first use. There is not need of a 404 trick though put the GUID in the
query string to a single ASP page.
Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf to a
customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real pdf
directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"
Thank you.
--
Betty
"Evertjan." wrote:
Anthony Jones wrote on 01 feb 2007 in
microsoft.publi c.inetserver.as p.general:
"c676228" <be****@communi ty.nospamwrote in message
news:50******** *************** ***********@mic rosoft.com...
Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste.
So it
is
not a generice pdf file. Could you explain a little more "Showing the
content
of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show." I
don't
get it yet.
>
Is it important to restrict users to seeing only their reports and not
others?
I'll guess yes.
In that case you definitely will not want to give directory browsing
to the users.
Do these users receiving the email have a username and password they
need to use to access the web site?
If so then email them a link which requires them to enter their
username and password before redirecting to the PDF.
If not then email then some form of security can be acheived by
incluing a GUID in the a link to the PDF.
A fairly safe way is to use a use-once-web-address.
So the client giving away the address would not be very usefull.
How?
Make an ASP file with an unique name, like
http://domain.xyz/useoncedir/user+pa...thepdfname.asp
Program it to download the pdf using a bitstream,
and immediately, or after a fixed time, say 10 minutes,
delete that asp file. The pdf location is kept secret.
The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/
so that the asp file does not have to exist,
and the virtual asp file could even be named:
http://domain.xyz/useoncedir/user+pa...thepdfname.pdf
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
c676228 wrote:
Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf
to a customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real
pdf directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"
Do you know how to use the IIS Management Console to assign a custom script
for 404 errors?
If so, create an empty application -- for example, /UseOnce/ -- on your
website, and assign such a script for that application. In that script,
examine Request.QuerySt ring. It will contain the full requested URL. Now you
can parse it.
In fact, all of the desired DATA in that URL comes after the string
/UseOnce/, so you can strip everything before it out:
URL: http://your.domain.com/UseOnce/6CA82...0-8C811E45CFB2
JScript:
var Data = Request.QuerySt ring.replace(/.*\/UseOnce\//,"")
vbscript :
Set RX = new RegExp
RX.Pattern = ".*/UseOnce/"
Data = RX.Replace(Requ est.QueryString ,"")
In either example, the variable [Data] contains the string
"6CA825B0-2096-43ED-94E0-8C811E45CFB2". Go from there.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
=?Utf-8?B?YzY3NjIyOA= =?= wrote on 02 feb 2007 in
microsoft.publi c.inetserver.as p.general:
Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf
to a customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real
pdf directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"
[Please do not toppost on usenet]
In custom 404.asp,
do something like this,
[this actual code not tested debug as required]
<%
qstr = lcase(Request.S erverVariables( "QUERY_STRING") )
'' this is my default picture if I have the link wrong:
if right(qstr,4)=" .jpg" or right(qstr,4)=" .gif" then
response.redire ct "/noPicFound404.g if"
end if
if instr(qstr,"404 ;http://domain.xyz:80/useoncedir/")>0 then
x = instr(qstr,"/useoncedir/")+len("/useoncedir/")
once = mid(qstr,x,99)
strFileName = "/secretfile10293 8/" & once
strFilePath = server.mappath( strFilename)
Set objFSO = Server.CreateOb ject("Scripting .FileSystemObje ct")
ok = false
if once = "file123.pd f" and now<#2007/02/02 23:27# then ok=true
if once = "file456.pd f" and now<#2007/02/03 20:27# then ok=true
if once = "file78A.pd f" and now<#2007/02/03 05:27# then ok=true
''' better use a database but the above is a simple form
if objFSO.FileExis ts(strFilePath) AND ok then
Set objStream = Server.CreateOb ject("ADODB.Str eam")
objStream.Open
objStream.Type = 1
objStream.LoadF romFile strFilePath
Response.Buffer = false
Response.Conten tType = "applicatio n/pdf"
Response.AddHea der "Content-Type", "applicatio n/pdf"
Response.AddHea der "Content-Disposition","i nline;filename= "&once
Response.Binary Write objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing
else
response.write "Sorry, nonexisting file"
end if
Set objFSO = Nothing
Response.end
end if
%>
<html>
........
This is the 404 page
........
</html>
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Paul |
last post by:
Hello,
I've been reading up on security in Java Applets and whilst I understand
the concept, I can't successfully get my applet to read a file on my local
machine.
I discovered from http://java.sun.com/sfaq/#read:
-----
Sun's appletviewer allows applets to read files that are named on the access
control list for reading. The access control list for reading is null by
default, in the JDK. You can allow applets to read directories or files...
|
by: grahamd |
last post by:
Who are the appropriate people to report security problems to
in respect of a module included with the Python distribution?
I don't feel it appropriate to be reporting it on general mailing
lists.
|
by: craig |
last post by:
I am working on my first .NET development project that involves custom
role-based security per the project requirements. This lead to a general
design issue this week that really caused us some concern. I have described
the situation below because we are very curious to see what other, more
experienced, developers might suggest. The specific classes and fields are
used just to illustrate the concepts.
Our application uses role-based...
|
by: Ken Winters |
last post by:
Whenever I run the Repair/Compact on my database, the security settings on
the file change.
A 3rd party application can only access the database over the network when
the username "Everyone" is added to the "Group or user names" with access to
the file. But each time the Repair/Compact utility is run, it removes
"Everyone" from the list.
This is under Win2000. Can anyone offer some advise or suggestions?
Thanks
|
by: Joseph Geretz |
last post by:
I'm having a credentialing problem in my web application. Actually, I don't
think this is an IIS security issue, since I'm able to access the page I'm
requesting. However, the executing page itself is not able to access a
specific network resource and I just can't figure out why. First of all, let
me say this worked fine with IIS running on Win2000 Server. This has not
worked since I upgraded to Windows Server 2003.
My Platform: Windows...
| | |
by: Charles Leonard |
last post by:
I am having yet another issue with Windows Server 2003. This time, the web
service (a file import web service) appears to run except for one odd
message: "ActiveX component can't create object". There are no other
statements to indicate what object cannot be created. Otherwise, everything
on the test Windows Server 2003 works fine—all import data updates correctly.
Unfortunately, my normal development environment is not Windows...
|
by: Johann Pietschnig |
last post by:
Hi,
My Problem: I have a C# EXE which writes a TXT file with results. It works
perfect on my local computer, but when I try to run it from our network
server (Drive G:), I am getting a
System.Security.Permissions.SecurityPermission error.
I found a lot of hints on the internet, also the .NET Framework
Configuration Utility, but I was not successful at all.
Has somebody a very simple to understand solution, what I have to do, to
bring...
|
by: jmurphy95 |
last post by:
Hi there,
I have a Windows application that I'm running from a shared drive that
needs to access file/directory resources on other drives. I've done a
lot of reading, but a lot of the material out there relates to the 1.1
Framework as opposed to 2.0.
I've added the following lines to my AssemblyInfo.vb:
<Assembly: System.Security.AllowPartiallyTrustedCallers()>
<Assembly: System.Security.SecurityTreatAsSafe()>
|
by: rockdale |
last post by:
Hi, all:
My asp.net application calles MS speech 5.1 and generate a wav file on
server's path. Everything runs perfectly on my development machine. But
when I move the appl to production server, I always get ERROR: Access
is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
First I thought its the permission problem, so I set permission of that
directory to everyone (not an secure idea, but for test only). I found
out that...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
