[2005] Downloading files from web page

[szlamany]

We are developing a WINFORM APP that runs intranet that manages document files (.DOC's and .PDF's). This WINFORM APP uses MS SQL 2005 to track the cases and file names - but actually copies the files to a file server in the background.

Now - the question.

We will have translators log into a webpage to download documents that have been assigned to them to translate.

Do we have to physically move the files to a "folder" in the virtual directory for the download - or is their any other methods or tricks we can use to get the files from the file server (which is inside the network).

[mendhak]

The web application that the translators use must sit on a server that can see the server which houses the files. You will use Response.WriteFile() to copy the file from its location to the translator's computer and this in turn means that the ASP.NET worker process needs permissions to be able to get the files from the source share.

In other words, ensure that the files are in a place that is visible from the web server. In a network share (UNC path).

[szlamany]

The web server will be outside the DMZ - or at least have port 80 open - and the ASP.net code running on it can still see shares on the network. This makes sense.

And this poses no security risk at all - right?

[mendhak]

The security risk lies with you. You could be tempted to, for example, create a download.aspx page which accepts a file name as a parameter.

/download.aspx?filename=c:\path\blah\abc.pdf

And then get the code to Response.WriteFile(Response.QueryString("filename"))

That is a security risk because an enterprising user can simply change it to point to your config file or any other sensitive file on the server and get it.

You might then simply 'hardcode' the folder path and do something like

/download.aspx?filename=abc.pdf

where download.aspx always assumes this is c:\path\blah, but then there's the risk of a user guessing a filename and obtaining a file that he shouldn't be looking at.

Or you could associate each file name with a GUID with each file being assigned to a GUID, it's the GUID that the page reads, queries and uses to determine which file to retrieve.

Making sense?

[szlamany]

/download.aspx?filename=c:\path\blah\abc.pdf

How did you know we were doing that

Actually - you need a URLEncode to make that work

(we were only doing it that way as a prototype to see proof-of-concept!)

As this app matures along with the winform & db tracking the files we will have each filename loaded into a tracking table - so I guess it's time to make sure we have at least an IDENTITY value associated with file. I guess even that's problematic - as that enterprising user could just start slotting in any value and getting random files from the server.

Did you suggest a GUID as a way to make that less possible??

btw - while I got you on this subject....

We are also UPLOADING files. How do you make sure that the network virus protection scans a file that is uploaded to a server? We obviously cannot guarantee that a translator is going to have a clean box that is not infecting files they are trying to pass back to us...

[mendhak]

Yeah, I figured a GUID would be a good way to make it less probable for a user to guess another URL. That'll (for your intents and purposes) eliminate the user-guessing problem. If you want to stick to IDs, though, then you'll have to add extra 'checks' in your code. For example, if you associate certain roles with having permissions on certain files, then in that handler is where you would perform the check before throwing an error or throwing the file.

[mendhak]

Find out what AV software the server has, then find out if it has an API that you can invoke. Some AV software have the ability to scan a file upon 'creation' which would mean you needn't do anything. Other AV software don't (or have it disabled) which means you need to find the API to use or if that doesn't exist, a command line interface to run from your application, passing it the file path as a parameter. Or you can have a scheduled task that gets the AV to run every x minutes to scan the folder.