开发者

Deny code execution IIS7 with web.config

问答 作者:

I want to block users run specific extensions in an upload folder (/assets/public/) of a web application. Users can upload image files which are also re-sized during the upload. But for more security I want to deny scripts like aspx, asp, php...

I have current code which blocks every extension but I want to allow extensions like .jpg:

<location path="assets/public">
    &开发者_如何学编程lt;system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>
<system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>

Also users do not have FTP access and application is pre-compiled.

Try

<httpModules>
    <clear />
</httpModules>

or

<location path="." inheritInChildApplications="false">
</location>

Here is how I solved this with global.asax and routing. Just added these rules:

routes.MapPageRoute("any", "assets/public/{file}.{ext}", "~/e/404.aspx");
routes.MapPageRoute("any-sub","assets/public/{sub}/{file}.{ext}","~/e/404.aspx");

routes.Ignore("{any}.jpg");
routes.Ignore("{any}.png");
routes.Ignore("{any}.gif");
routes.Ignore("{any}.pdf");

继续阅读:asp.netauthorizationiis-7iis-7.5web-config

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9