Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Securing uploaded documents

Reply
Thread Tools

Securing uploaded documents

 
 
Dooza
Guest
Posts: n/a
 
      05-13-2010
On 13/05/2010 13:00, Bwig Zomberi wrote:
> Dan wrote:
>>
>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>> news:hsgc15$adl$(E-Mail Removed)...
>>> Dan wrote:
>>>>
>>>> "Dean g" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>>
>>>>> Thanks for the help Bwig
>>>>
>>>> Just a note though - if the file is large, you may have to send it out
>>>> in chunks instead of all in one go. If you Google for "ado stream
>>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
>>>>
>>>
>>> Dan, I wanted to implement something like this. However, for very
>>> large file downloads and slow user connections, the script will have
>>> to be running for a long time. IIS will kill any request after some
>>> time. Do you or anyone else know how to avoid that?

>>
>> Look at documentation for the Server.ScriptTimeout property
>>

>
> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
> the user is on dialup. It will take several hours. IIS will kill the
> request.


Surely a protocol designed for larger files would be more appropriate?
Like FTP maybe?

Dooza
 
Reply With Quote
 
 
 
 
Dan
Guest
Posts: n/a
 
      05-13-2010

"Bwig Zomberi" <(E-Mail Removed)> wrote in message
news:hsgphs$uka$(E-Mail Removed)...
> Dan wrote:
>>
>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>> news:hsgc15$adl$(E-Mail Removed)...
>>> Dan wrote:
>>>>
>>>> "Dean g" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>>
>>>>> Thanks for the help Bwig
>>>>
>>>> Just a note though - if the file is large, you may have to send it out
>>>> in chunks instead of all in one go. If you Google for "ado stream
>>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
>>>>
>>>
>>> Dan, I wanted to implement something like this. However, for very
>>> large file downloads and slow user connections, the script will have
>>> to be running for a long time. IIS will kill any request after some
>>> time. Do you or anyone else know how to avoid that?

>>
>> Look at documentation for the Server.ScriptTimeout property
>>

>
> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and the
> user is on dialup. It will take several hours. IIS will kill the request.


In that case, don't do it

As Dooza points out, FTP is more appropriate for something like this.

Any application you build will have limits - you just have to figure out
what is feasible and use alternate means for anything that falls outside of
the parameters you come up with.

--
Dan

 
Reply With Quote
 
 
 
 
Bwig Zomberi
Guest
Posts: n/a
 
      05-13-2010
Dooza wrote:
> On 13/05/2010 13:00, Bwig Zomberi wrote:
>> Dan wrote:
>>>
>>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>>> news:hsgc15$adl$(E-Mail Removed)...
>>>> Dan wrote:
>>>>>
>>>>> "Dean g" <(E-Mail Removed)> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>>
>>>>>> Thanks for the help Bwig
>>>>>
>>>>> Just a note though - if the file is large, you may have to send it out
>>>>> in chunks instead of all in one go. If you Google for "ado stream
>>>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
>>>>>
>>>>
>>>> Dan, I wanted to implement something like this. However, for very
>>>> large file downloads and slow user connections, the script will have
>>>> to be running for a long time. IIS will kill any request after some
>>>> time. Do you or anyone else know how to avoid that?
>>>
>>> Look at documentation for the Server.ScriptTimeout property
>>>

>>
>> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
>> the user is on dialup. It will take several hours. IIS will kill the
>> request.

>
> Surely a protocol designed for larger files would be more appropriate?
> Like FTP maybe?
>


FTP sends passwords unencrypted. SFTP is not available on all hosting
servers.


--
Bwig Zomberi
 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      05-13-2010

"Bwig Zomberi" <(E-Mail Removed)> wrote in message
news:hsgrhk$1qi$(E-Mail Removed)...
> Dooza wrote:
>> On 13/05/2010 13:00, Bwig Zomberi wrote:
>>> Dan wrote:
>>>>
>>>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>>>> news:hsgc15$adl$(E-Mail Removed)...
>>>>> Dan wrote:
>>>>>>
>>>>>> "Dean g" <(E-Mail Removed)> wrote in message
>>>>>> news:(E-Mail Removed)...
>>>>>>>
>>>>>>> Thanks for the help Bwig
>>>>>>
>>>>>> Just a note though - if the file is large, you may have to send it
>>>>>> out
>>>>>> in chunks instead of all in one go. If you Google for "ado stream
>>>>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
>>>>>>
>>>>>
>>>>> Dan, I wanted to implement something like this. However, for very
>>>>> large file downloads and slow user connections, the script will have
>>>>> to be running for a long time. IIS will kill any request after some
>>>>> time. Do you or anyone else know how to avoid that?
>>>>
>>>> Look at documentation for the Server.ScriptTimeout property
>>>>
>>>
>>> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
>>> the user is on dialup. It will take several hours. IIS will kill the
>>> request.

>>
>> Surely a protocol designed for larger files would be more appropriate?
>> Like FTP maybe?
>>

>
> FTP sends passwords unencrypted. SFTP is not available on all hosting
> servers.


Either use anonymous FTP (if the files were going on an web site without
authentication), or use a custom FTP system with a short term unique ID in
the filename request to authenticate against an existing request via the
authenticated web application. Or come up with some other custom
authentication scheme.

Hosting large files on a standard public hosting package is obviously not an
appropriate use of said hosting. In many cases it'll likely be a violation
of the hosting T&C anyway. If you have a VPS or dedicated server then you
have a lot more flexibility and should be able to set up SFTP, FTP+SSL, or
any of a number of options for hardening FTP (or any other
application/protocol designed for handling large files).

If you're going to pick holes in every suggestion provided we're going to be
here indefinitely

--
Dan

 
Reply With Quote
 
Bwig Zomberi
Guest
Posts: n/a
 
      05-13-2010
Dan wrote:
>
> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
> news:hsgrhk$1qi$(E-Mail Removed)...
>> Dooza wrote:
>>> On 13/05/2010 13:00, Bwig Zomberi wrote:
>>>> Dan wrote:
>>>>>
>>>>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>>>>> news:hsgc15$adl$(E-Mail Removed)...
>>>>>> Dan wrote:
>>>>>>>
>>>>>>> "Dean g" <(E-Mail Removed)> wrote in message
>>>>>>> news:(E-Mail Removed)...
>>>>>>>>
>>>>>>>> Thanks for the help Bwig
>>>>>>>
>>>>>>> Just a note though - if the file is large, you may have to send
>>>>>>> it out
>>>>>>> in chunks instead of all in one go. If you Google for "ado stream
>>>>>>> binarywrite" you'll find plenty of examples of how to do this in
>>>>>>> ASP.
>>>>>>>
>>>>>>
>>>>>> Dan, I wanted to implement something like this. However, for very
>>>>>> large file downloads and slow user connections, the script will have
>>>>>> to be running for a long time. IIS will kill any request after some
>>>>>> time. Do you or anyone else know how to avoid that?
>>>>>
>>>>> Look at documentation for the Server.ScriptTimeout property
>>>>>
>>>>
>>>> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
>>>> the user is on dialup. It will take several hours. IIS will kill the
>>>> request.
>>>
>>> Surely a protocol designed for larger files would be more appropriate?
>>> Like FTP maybe?
>>>

>>
>> FTP sends passwords unencrypted. SFTP is not available on all hosting
>> servers.

>
> Either use anonymous FTP (if the files were going on an web site without
> authentication), or use a custom FTP system with a short term unique ID
> in the filename request to authenticate against an existing request via
> the authenticated web application. Or come up with some other custom
> authentication scheme.
>
> Hosting large files on a standard public hosting package is obviously
> not an appropriate use of said hosting. In many cases it'll likely be a
> violation of the hosting T&C anyway. If you have a VPS or dedicated
> server then you have a lot more flexibility and should be able to set up
> SFTP, FTP+SSL, or any of a number of options for hardening FTP (or any
> other application/protocol designed for handling large files).
>
> If you're going to pick holes in every suggestion provided we're going
> to be here indefinitely
>


I just needed a second opinion that I have done everything that can be
done with a script. I am not picking holes. I had already tried
everything you had suggested when I was faced with same problem as the
OP. I provided the solution to the OP based on that experience.

The files I handle are less than 70 MB and they are on a shared hosting
server. However, I did not go for the ASP download solution because of
slow downloaders. Currently, http folder passwords are used. This is
also unsatisfactory, credentials are sent as plain text.


--
Bwig Zomberi
 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      05-14-2010

"Bwig Zomberi" <(E-Mail Removed)> wrote in message
news:hshdse$ufq$(E-Mail Removed)...
> Dan wrote:
>>
>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>> news:hsgrhk$1qi$(E-Mail Removed)...
>>> Dooza wrote:
>>>> On 13/05/2010 13:00, Bwig Zomberi wrote:
>>>>> Dan wrote:
>>>>>>
>>>>>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>>>>>> news:hsgc15$adl$(E-Mail Removed)...
>>>>>>> Dan wrote:
>>>>>>>>
>>>>>>>> "Dean g" <(E-Mail Removed)> wrote in message
>>>>>>>> news:(E-Mail Removed)...
>>>>>>>>>
>>>>>>>>> Thanks for the help Bwig
>>>>>>>>
>>>>>>>> Just a note though - if the file is large, you may have to send
>>>>>>>> it out
>>>>>>>> in chunks instead of all in one go. If you Google for "ado stream
>>>>>>>> binarywrite" you'll find plenty of examples of how to do this in
>>>>>>>> ASP.
>>>>>>>>
>>>>>>>
>>>>>>> Dan, I wanted to implement something like this. However, for very
>>>>>>> large file downloads and slow user connections, the script will have
>>>>>>> to be running for a long time. IIS will kill any request after some
>>>>>>> time. Do you or anyone else know how to avoid that?
>>>>>>
>>>>>> Look at documentation for the Server.ScriptTimeout property
>>>>>>
>>>>>
>>>>> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
>>>>> the user is on dialup. It will take several hours. IIS will kill the
>>>>> request.
>>>>
>>>> Surely a protocol designed for larger files would be more appropriate?
>>>> Like FTP maybe?
>>>>
>>>
>>> FTP sends passwords unencrypted. SFTP is not available on all hosting
>>> servers.

>>
>> Either use anonymous FTP (if the files were going on an web site without
>> authentication), or use a custom FTP system with a short term unique ID
>> in the filename request to authenticate against an existing request via
>> the authenticated web application. Or come up with some other custom
>> authentication scheme.
>>
>> Hosting large files on a standard public hosting package is obviously
>> not an appropriate use of said hosting. In many cases it'll likely be a
>> violation of the hosting T&C anyway. If you have a VPS or dedicated
>> server then you have a lot more flexibility and should be able to set up
>> SFTP, FTP+SSL, or any of a number of options for hardening FTP (or any
>> other application/protocol designed for handling large files).
>>
>> If you're going to pick holes in every suggestion provided we're going
>> to be here indefinitely
>>

>
> I just needed a second opinion that I have done everything that can be
> done with a script. I am not picking holes. I had already tried everything
> you had suggested when I was faced with same problem as the OP. I provided
> the solution to the OP based on that experience.
>
> The files I handle are less than 70 MB and they are on a shared hosting
> server. However, I did not go for the ASP download solution because of
> slow downloaders. Currently, http folder passwords are used. This is also
> unsatisfactory, credentials are sent as plain text.
>


For the latter issue, you will either need to look into SSL (which is often
difficult with shared hosting as it requires a dedicated IP address for the
site, or a SAN certificate covering all required virtual servers on a single
IP), or NTLM/Integrated Authentication (which IIRC doesn't work if there are
proxy servers involved between the browser and server).

--
Dan

 
Reply With Quote
 
Dean g
Guest
Posts: n/a
 
      05-17-2010
Hey guys,
I have a new problem hopefully you can help with. Do you know
how to detect the mime type of the file on the server? some of
my pdf files aren't getting recognized as pdf's and filling
the page with garbage.

i Think i need to determine the appropriate MIME type from
binary data, but don't really have a clue where to start.



*** Sent via Developersdex http://www.developersdex.com ***
 
Reply With Quote
 
Bwig Zomberi
Guest
Posts: n/a
 
      05-18-2010
Dean g wrote:
> Hey guys,
> I have a new problem hopefully you can help with. Do you know
> how to detect the mime type of the file on the server? some of
> my pdf files aren't getting recognized as pdf's and filling
> the page with garbage.
>
> i Think i need to determine the appropriate MIME type from
> binary data, but don't really have a clue where to start.



Check the extension of the file. If it is "PDF" or "pdf", then set the
mime type to "application/pdf".

Response.ContentType = "application/pdf"

A list of popular mime types:
http://msdn.microsoft.com/en-us/libr...nown_MimeTypes

For unknown mime types, I think you need to use "application/octet-stream"




--
Bwig Zomberi
 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      05-18-2010

"Bwig Zomberi" <(E-Mail Removed)> wrote in message
news:hst5av$9sq$(E-Mail Removed)...
> Dean g wrote:
>> Hey guys,
>> I have a new problem hopefully you can help with. Do you know
>> how to detect the mime type of the file on the server? some of
>> my pdf files aren't getting recognized as pdf's and filling
>> the page with garbage.
>>
>> i Think i need to determine the appropriate MIME type from
>> binary data, but don't really have a clue where to start.

>
>
> Check the extension of the file. If it is "PDF" or "pdf", then set the
> mime type to "application/pdf".
>
> Response.ContentType = "application/pdf"
>
> A list of popular mime types:
> http://msdn.microsoft.com/en-us/libr...nown_MimeTypes
>
> For unknown mime types, I think you need to use "application/octet-stream"



This is probably the best solution. IE7 and higher do have "MIME sniffing"
too which will attempt to determine the real MIME type from the file header,
but this seems to fail from time to time.

--
Dan

 
Reply With Quote
 
Dean g
Guest
Posts: n/a
 
      05-18-2010
I already check the ext bwig, the problem is they are not necessarily
genuine pdf's. I've been searching for mime
sniffing code like u suggested Dan, but so far can only find
resources for .net



*** Sent via Developersdex http://www.developersdex.com ***
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent uploaded documents folder from search engine or unauthenticated access: bradley ASP .Net 1 06-08-2005 09:01 PM
Virus Scan for uploaded documents? Manish Jain ASP .Net Security 1 02-23-2005 02:04 PM
Securing Documents when getting repairs itsme Computer Security 6 10-11-2004 07:05 AM
Securing XML documents on a ASP.net site.... Johan Pingree ASP .Net 9 04-26-2004 07:56 PM
Virus-Scanning uploaded files uploaded? Matt G ASP .Net 1 08-22-2003 05:44 AM



Advertisments