Geek Answers Handbook

Standard practice for working with user uploaded files in asp.net web application

This is the first time I am creating a web application for the sole purpose of processing user-uploaded files, and I have a few questions regarding how this is usually done:

  • Are there any security issues that I should consider? The files to be processed are essentially text files that my application will read line by line. Should I limit the file download extension and / or are there any other precautions that I should take into account?

  • What is the best organizational method for uploading files? These files do not have to be saved in my application, so I just need to reset them in the "Data" public folder and delete everything that you no longer need?

  • Are there any other important aspects to building web applications with similar features that I missed?

thanks

+7
source share
2 answers

  • The only security issue you should observe is pasting raw text (without clearing data to prevent SQL injection) into the database. If there is no database, you should be fine. As for extensions, restrictive extensions are a really bad top-level filter. It's nice to have, but it just peers deep into what the file really contains. Limiting the file size will also help.

  • Saving to disk can be expensive with a lot of transactions, but on the other hand, it will clutter up your server memory with fewer more requests / more threads. You can also work with files in memory, but this can be harmful for large files. Think about what you are working with and choose the best approach.

  • Define a timeout so that large downloaded files do not take up unnecessary server processes when in the end they are too large.

I assume that you are working with an ASP.NET FileUpload . Keep in mind that the file is not saved through postbacks (to prevent a security hole), so the user has to constantly view the file every time a page is requested. This is unpleasant if you have server validators.

Edited to respond to the comment:

Working in memory, I’m talking about manipulating a file downloaded exclusively through code without resorting to physical storage on the server’s disk.

For example, if you use the FileUpload control, you can access the user file through the Stream FileUpload.FileContent object or as a FileUpload.FileBytes byte array ( API Reference ). Since a Stream you can simply read the file on the fly without first saving it.

Markup:

 <asp:FileUpload ID="fileUploadControl" ToolTip="Upload a file" runat="server" />

Codebehind:

 If fileUploadControl.HasFile AndAlso _ (fileUploadControl.FileName.ToLower().EndsWith(".txt") OrElse _ fileUploadControl.ToLower().FileName.EndsWith(".dat")) Then SaveThisToDataBase(fileUploadControl.FileName, fileUploadControl.FileBytes) End If

Cm? No need to save to disk at all. fileUploadControl.FileBytes contains bytes of data loaded.

If you want to save the file, you can simply use the stream to write to disk.

+4
source

I don’t know how “standard” my answer is, but here is what I did when I had a similar setup:

  • I have limited file extensions to several file types to make it more difficult to download bad files. It’s easy to get around, but at least this is another step that the attacker had to take.

  • I had to add write permissions to the IUSR account in IIS in the folder in which I stored the files. This folder was a subfolder of my application root folder.

  • I had to deal with a large number of files, so I created a new subfolder for each month, for example Uploaded\012012 , Uploaded\022012 , etc. This speeds up file access, as I only had a few hundred files in each folder. I saved every download in the database and had a scheduled task for regularly cleaning the file system. It also deleted the old empty folders.

As I said, I don’t know if this is standard (or even if this is really good practice), but it worked perfectly for the environment in which I used it.

+3
source

More articles:


All Articles