Is it possible for user to escape asp.net core's application folder?
Question
For example file css.css is accessible because it should be
access url:
localhost:1234/css.css
projects_folder
- application.dll
- wwwroot\css.css
but what about situation:
disk
secret_folder
- secret.txt
application_folder
- application.dll
- wwwroot\css.css
Can I safely assume that user is unable to this even with some tricks! :
localhost:1234/../secret_folder/secret.txt
in default ASP .NET Core's MVC template?
1 answers
solution1
1 2018-10-23 09:55:05
It depends on how the application is configured.
In the default ASP .NET Core's MVC template you should have the following in your Startup.Configure to allow access to static files in the wwwroot folder:
public void Configure(IApplicationBuilder app)
{
app.UseStaticFiles(); // For the wwwroot folder
}
The parameterless UseStaticFiles method overload marks the files in web root (wwwroot) as servable.
In order to access static files outside of the web root you would be required to add further configuration, as described in the following link:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.