By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,728 Members | 2,414 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,728 IT Pros & Developers. It's quick & easy.

Bug or security concern related to upload of binary files and IHttpModule?

P: n/a
Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the
IHttpModule interface, that will authorize the request for certain binary
file types (GET), this is working fine. But we also want it to authorize the
upload of binary files (PUT), The problem with the PUT-scenario is that the
file is *not* uploaded when its extension *is* mapped up in IIS, by mapped
up I mean the Application Mappings displayed when clicking on the
configuration button on the property page for the [virtual folder]/[web
application] in question. We have tried this both with and without our
assembly running in the upload directory, the same happens either way, the
file is uploaded as long as its extension is *not* mapped up in IIS, when I
map up the extension I am no longer able upload files with that extension.
By running these tests we have verified that our code is not the black sheep
in the current scenario. So what I want to know is, could this be a bug? Or
is this a security concern and what I am trying to do is not allowed?

Regards,
Kenneth Myhra
Nov 18 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a

"Kenneth Myhra" <ke**********@hotmail.com> wrote in message
news:e6**************@TK2MSFTNGP12.phx.gbl...
Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the
IHttpModule interface, that will authorize the request for certain binary
file types (GET), this is working fine. But we also want it to authorize the upload of binary files (PUT), The problem with the PUT-scenario is that the file is *not* uploaded when its extension *is* mapped up in IIS, by mapped
up I mean the Application Mappings displayed when clicking on the
configuration button on the property page for the [virtual folder]/[web
application] in question. We have tried this both with and without our
assembly running in the upload directory, the same happens either way, the
file is uploaded as long as its extension is *not* mapped up in IIS, when I map up the extension I am no longer able upload files with that extension.
By running these tests we have verified that our code is not the black sheep in the current scenario. So what I want to know is, could this be a bug? Or is this a security concern and what I am trying to do is not allowed?

Regards,
Kenneth Myhra


I have never used HTTP PUT, but I guess the reasoning is this:
when a file with a mapped extension (say "aspx") is uploaded and
stored, how should IIS know how to treat this file upon request?
As it has an aspx extension, it should be handled by the asp.net
subsystem, rather than just upload the contents.
So, even if you could disable security so upload is possible,
then you might not get the expected contents when you try to
retrieve it!
Maybe you could have an upload directory where no mappings
at all are defined?

Hans Kesting
Nov 18 '05 #2

P: n/a
Hi Hans thanks for your reply! I am not trying to upload .aspx files, which
I see now is not either possible when the mapping is in place, but .doc,
..zip and other binary files. I have manually set the mapping to these files
because I want to be able to authorize the put request by using an
IHttpModule instead of using a C++ ISAPI filter so the option of having an
upload directory where there are no mappings is not acceptable in the
current scenario, because I want the asp.net subsystem to handle the request
and initalize my IHttpModule so that I can authorize the request based on
session data. How would I go about to disable security for PUT requests, if
it is possible?

Regards,
Kenneth Myhra

"Hans Kesting" <ne***********@spamgourmet.com> wrote in message
news:OF**************@TK2MSFTNGP11.phx.gbl...

"Kenneth Myhra" <ke**********@hotmail.com> wrote in message
news:e6**************@TK2MSFTNGP12.phx.gbl...
Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the IHttpModule interface, that will authorize the request for certain binary file types (GET), this is working fine. But we also want it to authorize the
upload of binary files (PUT), The problem with the PUT-scenario is that

the
file is *not* uploaded when its extension *is* mapped up in IIS, by mapped up I mean the Application Mappings displayed when clicking on the
configuration button on the property page for the [virtual folder]/[web
application] in question. We have tried this both with and without our
assembly running in the upload directory, the same happens either way, the file is uploaded as long as its extension is *not* mapped up in IIS, when I
map up the extension I am no longer able upload files with that

extension. By running these tests we have verified that our code is not the black

sheep
in the current scenario. So what I want to know is, could this be a bug?

Or
is this a security concern and what I am trying to do is not allowed?

Regards,
Kenneth Myhra


I have never used HTTP PUT, but I guess the reasoning is this:
when a file with a mapped extension (say "aspx") is uploaded and
stored, how should IIS know how to treat this file upon request?
As it has an aspx extension, it should be handled by the asp.net
subsystem, rather than just upload the contents.
So, even if you could disable security so upload is possible,
then you might not get the expected contents when you try to
retrieve it!
Maybe you could have an upload directory where no mappings
at all are defined?

Hans Kesting

Nov 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.