How Secure is string sysPath = "C:/Inetpub/vhosts/..."

Question

I have a little more detailed question, FileUpload from Subdomain to Folder of Main Domain, which I kinda solved, but I'm just not sure how secure my solution is.

In short, a logged in person can upload files, but they're on subdomain and the files are getting stored in the parent domain's folders. So I'm using:

string sysPath = "C:/Inetpub/vhosts/domain.com/httpdocs/Uploads/Files/"

Is the acceptable?

Answer 1

I'm assuming you're asking if these files are safe from unauthorized access. The answer is "Not really". Those files are accessible by anyone able to guess (or otherwise obtain) the path to the files. I'd recommend storing them outside of the Inetpub folder (Something like C:\Uploads\). Once you've authenticated your user (i.e. the user is logged in somehow) you can stream/send the file like this:

    Response.Clear();
    Response.ContentType = "application/octet-stream";
    Response.AddHeader("Content-Disposition", "attachment; filename=\"" + filename + "\"");
    Response.TransmitFile(fullFilePath);
    Response.End();

filename is just the file name, not the full path.

EDIT: A little bit more detail

When you upload the file (as described in your other post) just be sure to store the file in a directory that doesn't include Inetpub. So, say your user uploads a file called foo.gif. You'll want to store it at C:\Uploads\foo.gif (in your upload.aspx). Now when someone visits Download.aspx run the following code:

    Response.Clear();
    Response.ContentType = "application/octet-stream";
    Response.AddHeader("Content-Disposition", "attachment; filename="foo.gif");
    Response.TransmitFile(@"C:\uploads\foo.gif");
    Response.End();

I've shown the values hard coded for clarity.