Deny code execution IIS7 with web.config
Question
I want to block users run specific extensions in an upload folder (/assets/public/) of a web application. Users can upload image files which are also re-sized during the upload. But for more security I want to deny scripts like aspx, asp, php...
I have current code which blocks every extension but I want to allow extensions like .jpg:
<location path="assets/public">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
Also users do not have FTP access and application is pre-compiled.
2 answers
solution1
0 2011-04-10 19:25:20
Try
<httpModules>
<clear />
</httpModules>
or
<location path="." inheritInChildApplications="false">
</location>
solution2
-2 2011-04-12 06:36:40
Here is how I solved this with global.asax and routing. Just added these rules:
routes.MapPageRoute("any", "assets/public/{file}.{ext}", "~/e/404.aspx");
routes.MapPageRoute("any-sub","assets/public/{sub}/{file}.{ext}","~/e/404.aspx");
routes.Ignore("{any}.jpg");
routes.Ignore("{any}.png");
routes.Ignore("{any}.gif");
routes.Ignore("{any}.pdf");
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.