Best Way to Protect Certain File Types in a Directory from Being Served
https://stackoverflow.com/questions/10386007
-
04-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
I have a directory, "d:/resources/xxxxx/file-name.xxx" that stores the file types: .png, .xml, .pdf, which are accessed by a website. A virtual directory is set up in IIS, "resources," which points to this hard drive location, to allow the .png images to be accessed through an http request, but I am referencing the .pdf and .xml files by their hard drive location. These files are part of a workflow process so they must all remain in their current directory structure.
IIS needs to be allowed to serve the .png images, but I do not want it to be allowed to serve the .pdf or .xml files, for security purposes.
I tried setting up an http handler, which would have worked fine, but I can't make the path specific enough. If I set it to "/resources/*", then I need to manually output the allowed file types and that was getting a bit wonky. I can't set the path to "*.pdf" because other directories should be allowed to have their .pdf files accessed.
I'm just looking for a straight forward way to restrict access if someone tries to go to "www.mysite.com/resources/dir/mypdf.pdf," or ".../myxml.xml," but still allow .png and all other potential file types to be served.
Also, please let me know if I am going about this all the wrong way.
Soluzione
Try adding this before your closing tag for configuration and see how it does:
<location path="/resources">
<system.webServer>
<handlers>
<add name="PdfForbiddenHandler" path="*.pdf" verb="*" type="System.Web.HttpForbiddenHandler" resourceType="File" preCondition="integratedMode" />
<add name="XmlForbiddenHandler" path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" resourceType="File" preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>
Altri suggerimenti
To use the IIS (7.x, classic mode) Manager UI:
- Expand your site and select the "resources" directory.
- In Features View, double-click Handler Mappings.
- In the grid, find the module mapping named 'StaticFile', double-click this item;
- Enter the file name extension that are allowed e.g. *.png, *.gif etc.
- Click OK.
