I'm modifying an .aspx page that uses some javascript to download a file based on the value attribute in this tag:
<in开发者_开发问答put type="hidden" id="launchDocument" value="pdf/<%=Settings.LaunchDocument%>" >
That value is currently hard-coded into the Web.config file. The client wants this page to now be a download page for their archived newsletters. My thoughts were to have the page pull in the filename from the query string so the sending page could define what file is being downloaded:
<input type="hidden" id="launchDocument" value="../pdf/<%=Request.QueryString["filename"]%>" />
But, I'm concerned whether there is any security risk to this method. If there is, what are the best practices for checking the query string's value to make sure it's a valid .pdf filename before adding it to the page?
Thanks in advance for any help!
Why does the actual file name need to be there? Create a table that associates a filename with a guid and pass that around.
When it comes time to download, transfer to a script that loads and spits the file back.
Use the forum search and you find this:
Regular expressions in C# for file name validation
You could create an HTTP handler to watch for these requests, and in the handler check if the file exists, and if it doesnt redirect to an appropriate error page...
- Do not use file extensions in the
<input>
field - Always append .PDF to the path supplied by the input.
- Expand the relative path to an absolute path.
- Validate the absolute path (check that it's in the PDF download dir)
精彩评论