Is there ANY way a website visitor can see the contents of an aspx.cs file? Just curious to know what all loop holes, breaks or whatever are there._问答_开发者

Is there ANY way a website visitor can see the contents of an aspx.cs file? Just curious to know what all loop holes, breaks or whatever are there.

开发者 https://www.devze.com 2023-01-15 23:38 出处：网络

Is there ANY way a website visi开发者_Python百科tor can see the contents of an aspx.cs file? Just curious to know what all loop holes, breaks or whatever are there.You could inadvertently create a loo

相关专题：asp.net

Is there ANY way a website visi开发者_Python百科tor can see the contents of an aspx.cs file? Just curious to know what all loop holes, breaks or whatever are there.

You could inadvertently create a loophole. For example if you have a page or handler somewhere that blindly streams documents to the client. I've seen people implement something like this:

public class Download : IHttpHandler {

    public void ProcessRequest (HttpContext context) 
    {
        context.Response.WriteFile( context.Server.MapPath( context.Request.Params["file"] ) );
    }

    public bool IsReusable { get { return false; }
    }
}

Invoking this (e.g. download.ashx?file=web.config ) will stream any file in your site to the client.

Depending on the security settings for the site (and server) I think it's even possible to disable the default handlers that protect your source code and config files by clearing the handlers section in web.config and adding some more permissive handlers.

No, there's isn't unless you have access to the source control repository where those files are stored or poorly configured web server.

Actually it is good practice to precompile your web applications and never deploy source code files so they shouldn't even exist on the web server.

Not if your server is secure, but as @Darin says it's a good idea to precompile your web apps

There is no such possibility because browser just gets html as all the code is executed on server. That is in all dynamic pages engines (php,jsp,..).

Like my predecessors mentioned, there is no possibility to view code if it hasn't been exposed somehow.

If you are really afraid of your code, you can obfuscate it, then precompile to DLLs(non-obfuscated code can be easily extracted to C# code). Also make sure the ftp access is not poorly configured.

Marnix's point is a very important one--its the classic source sniffing hole on alot of PHP apps. In shared hosting scenarios, there also exists a potential for other users on the server to sniff at your files, but this is pretty well eliminated if your shared host is running in medium or low trust.

The other big potential hole is if someone were to say, uninstall ASP.NET on the server. Then, depending on IIS version, it could serve .cs (and .aspx) files as plain text after the script mappings have been removed.