C# 设置权限后如何防止从浏览器直接下载文件[read=allow]
我有一个下载文件的处理程序,如下所示:C# 设置权限后如何防止从浏览器直接下载文件[read=allow],c#,asp.net,file,permissions,download,C#,Asp.net,File,Permissions,Download,我有一个下载文件的处理程序,如下所示: using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.IO; using NiceFileExplorer.Classes; namespace NiceFileExplorer { /// <summary> /// Summary description for HandlerFor
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.IO;
using NiceFileExplorer.Classes;
namespace NiceFileExplorer
{
/// <summary>
/// Summary description for HandlerForMyFE
/// </summary>
public class HandlerForMyFE : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
private HttpContext _context;
private HttpContext Context
{
get
{
return _context;
}
set
{
_context = value;
}
}
public void ProcessRequest(HttpContext context)
{
Context = context;
string filePath = context.Request.QueryString["Downloadpath"];
filePath = context.Server.MapPath(filePath);
if (filePath == null)
{
return;
}
System.IO.StreamReader streamReader = new System.IO.StreamReader(filePath);
System.IO.BinaryReader binaryReader = new System.IO.BinaryReader(streamReader.BaseStream);
byte[] bytes = new byte[streamReader.BaseStream.Length];
binaryReader.Read(bytes, 0, (int)streamReader.BaseStream.Length);
if (bytes == null)
{
return;
}
streamReader.Close();
binaryReader.Close();
string fileName = System.IO.Path.GetFileName(filePath);
string MimeType = GetMimeType(fileName);
string extension = System.IO.Path.GetExtension(filePath);
char[] extension_ar = extension.ToCharArray();
string extension_Without_dot = string.Empty;
for (int i = 1; i < extension_ar.Length; i++)
{
extension_Without_dot += extension_ar[i];
}
string filesize = string.Empty;
FileInfo f = new FileInfo(filePath);
filesize = f.Length.ToString();
if (HttpContext.Current.Session["User_ID"] != null)
{
WriteFile(bytes, fileName, filesize, MimeType + " " + extension_Without_dot, context.Response);
}
}
private void WriteFile(byte[] content, string fileName, string filesize, string contentType, HttpResponse response)
{
response.Buffer = true;
response.Clear();
response.ContentType = contentType;
response.AddHeader("content-disposition", "attachment; filename=" + fileName);
response.AddHeader("Content-Length", filesize);
response.BinaryWrite(content);
response.Flush();
response.End();
}
private string GetMimeType(string fileName)
{
string mimeType = "application/unknown";
string ext = System.IO.Path.GetExtension(fileName).ToLower();
Microsoft.Win32.RegistryKey regKey = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey(ext);
if (regKey != null && regKey.GetValue("Content Type") != null)
mimeType = regKey.GetValue("Content Type").ToString();
return mimeType;
}
public bool IsReusable
{
get
{
return false;
}
}
}
}
http://localhost:5410/en/Download.aspx?Downloadpath=%2fFiles%2f%2fsamsung%2fGE2550_DEFAULT_MDL_V002.exe
我网站中的一个下载链接如下所示:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.IO;
using NiceFileExplorer.Classes;
namespace NiceFileExplorer
{
/// <summary>
/// Summary description for HandlerForMyFE
/// </summary>
public class HandlerForMyFE : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
private HttpContext _context;
private HttpContext Context
{
get
{
return _context;
}
set
{
_context = value;
}
}
public void ProcessRequest(HttpContext context)
{
Context = context;
string filePath = context.Request.QueryString["Downloadpath"];
filePath = context.Server.MapPath(filePath);
if (filePath == null)
{
return;
}
System.IO.StreamReader streamReader = new System.IO.StreamReader(filePath);
System.IO.BinaryReader binaryReader = new System.IO.BinaryReader(streamReader.BaseStream);
byte[] bytes = new byte[streamReader.BaseStream.Length];
binaryReader.Read(bytes, 0, (int)streamReader.BaseStream.Length);
if (bytes == null)
{
return;
}
streamReader.Close();
binaryReader.Close();
string fileName = System.IO.Path.GetFileName(filePath);
string MimeType = GetMimeType(fileName);
string extension = System.IO.Path.GetExtension(filePath);
char[] extension_ar = extension.ToCharArray();
string extension_Without_dot = string.Empty;
for (int i = 1; i < extension_ar.Length; i++)
{
extension_Without_dot += extension_ar[i];
}
string filesize = string.Empty;
FileInfo f = new FileInfo(filePath);
filesize = f.Length.ToString();
if (HttpContext.Current.Session["User_ID"] != null)
{
WriteFile(bytes, fileName, filesize, MimeType + " " + extension_Without_dot, context.Response);
}
}
private void WriteFile(byte[] content, string fileName, string filesize, string contentType, HttpResponse response)
{
response.Buffer = true;
response.Clear();
response.ContentType = contentType;
response.AddHeader("content-disposition", "attachment; filename=" + fileName);
response.AddHeader("Content-Length", filesize);
response.BinaryWrite(content);
response.Flush();
response.End();
}
private string GetMimeType(string fileName)
{
string mimeType = "application/unknown";
string ext = System.IO.Path.GetExtension(fileName).ToLower();
Microsoft.Win32.RegistryKey regKey = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey(ext);
if (regKey != null && regKey.GetValue("Content Type") != null)
mimeType = regKey.GetValue("Content Type").ToString();
return mimeType;
}
public bool IsReusable
{
get
{
return false;
}
}
}
}
http://localhost:5410/en/Download.aspx?Downloadpath=%2fFiles%2f%2fsamsung%2fGE2550_DEFAULT_MDL_V002.exe
所以,我可以控制我的下载链接轻松的处理程序
我的问题是,当某些主体将链接更改为:
http://localhost:5410/Files/samsung/GE2550_DEFAULT_MDL_V002.exe
可以直接下载该文件而无需该处理程序代码>
如何防止这种直接下载
首先要感谢您,将文件的实际物理路径放入querystring并不是一个好主意。向公众提供的信息有点过多,并且会使您面临安全问题,因为有人将意外路径放入url以尝试下载其他文件
话虽如此,关于上述问题,您应该将文件文件夹放在web根目录之外,以便浏览器无法访问它,或者设置IIS,以便不允许任何人访问该文件夹(及其子文件夹)。只要运行ASP.NET的帐户对该文件夹具有权限,您仍然可以在代码中打开该文件并将其写入响应,而不管它是否通过IIS可见。首先,将文件的实际物理路径放入查询字符串中并不是一个好主意。向公众提供的信息有点过多,并且会使您面临安全问题,因为有人将意外路径放入url以尝试下载其他文件
话虽如此,关于上述问题,您应该将文件文件夹放在web根目录之外,以便浏览器无法访问它,或者设置IIS,以便不允许任何人访问该文件夹(及其子文件夹)。只要运行ASP.NET的帐户具有该文件夹的权限,您仍然可以在代码中打开该文件并将其写入响应,无论它是否通过IIS可见。您好,亲爱的兄弟,谢谢您的回答!如何从iis中删除不可见的文件?当我更改“文件”文件夹的权限时,出现错误(拒绝访问“文件”文件夹)!你能给我解释一下你运行的是什么版本的IIS吗?你真的有权访问IIS管理控制台吗?或者你是使用某种控制面板的共享主机帐户吗?windows server 2008 r2-我有一个私人服务器,可以远程访问我亲爱的兄弟,谢谢你的回答!如何从iis中删除不可见的文件?当我更改“文件”文件夹的权限时,出现错误(拒绝访问“文件”文件夹)!您能给我解释一下您运行的IIS的版本吗?您是否真的有权访问IIS管理控制台,或者您使用的是带有某种控制面板的共享主机帐户?windows server 2008 r2-我有一个专用服务器,可以远程访问它