Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Securing uploaded documents

Reply
Thread Tools

Securing uploaded documents

 
 
Dan
Guest
Posts: n/a
 
      05-18-2010

"Dean g" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I already check the ext bwig, the problem is they are not necessarily
> genuine pdf's. I've been searching for mime
> sniffing code like u suggested Dan, but so far can only find
> resources for .net


Just set it to application/octet-stream as Bwig suggested, then the browser
can deal with as it sees fit.

Trying to roll your own MIME sniffing code in ASP is going to be a mess -
without a COM component that you can program against to do it for you it's
not worth even starting. The MIME sniffing I was referring to is already in
IE7 and IE8, they will attempt to determine the appropriate application to
open a file that is downloaded.

--
Dan

 
Reply With Quote
 
 
 
 
Bwig Zomberi
Guest
Posts: n/a
 
      05-18-2010
Dean g wrote:
> I already check the ext bwig, the problem is they are not necessarily
> genuine pdf's. I've been searching for mime
> sniffing code like u suggested Dan, but so far can only find
> resources for .net



That will be very expensive in terms of server resources. It will not be
scalable.


--
Bwig Zomberi
 
Reply With Quote
 
 
 
 
Dean g
Guest
Posts: n/a
 
      06-02-2010
Damn, 2 out of 3 problems solved is still good.

Thanks for the help guys, i just wish i knew why half the pdf
files display garbage on the screen even though they are
genuine pdf's. i guess thats a question for another group
though.

regards,
Dean



*** Sent via Developersdex http://www.developersdex.com ***
 
Reply With Quote
 
Bwig Zomberi
Guest
Posts: n/a
 
      06-02-2010
Dean g wrote:
> Damn, 2 out of 3 problems solved is still good.
>
> Thanks for the help guys, i just wish i knew why half the pdf
> files display garbage on the screen even though they are
> genuine pdf's. i guess thats a question for another group
> though.
>


I had this problem with Opera. In a newer version, it got solved.

Just ensure that you set the content type properly on the server-side
and you are not writing anything other than what is in the PDF to the
browser. To be sure that the entire ASP code is between one set of <%
and %>. Do not use nested code. Do not write any HTML or set any cookies.

On the client side, ensure that Adobe Reader is installed properly and
plugins are available for all browsers.

If the problems persist, then it is problem with the PDFs. You could go
to alt.txt.pdf. However, you will need to host the PDF and provide a
link so they can check it out.


--
Bwig Zomberi
 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      06-02-2010

"Bwig Zomberi" <(E-Mail Removed)> wrote in message
news:hu5ein$4qs$(E-Mail Removed)...
> Dean g wrote:
>> Damn, 2 out of 3 problems solved is still good.
>>
>> Thanks for the help guys, i just wish i knew why half the pdf
>> files display garbage on the screen even though they are
>> genuine pdf's. i guess thats a question for another group
>> though.
>>

>
> I had this problem with Opera. In a newer version, it got solved.
>
> Just ensure that you set the content type properly on the server-side and
> you are not writing anything other than what is in the PDF to the browser.
> To be sure that the entire ASP code is between one set of <% and %>. Do
> not use nested code. Do not write any HTML or set any cookies.
>
> On the client side, ensure that Adobe Reader is installed properly and
> plugins are available for all browsers.
>
> If the problems persist, then it is problem with the PDFs. You could go to
> alt.txt.pdf. However, you will need to host the PDF and provide a link so
> they can check it out.
>
>


The other thing you can do is use Response.Buffer = true, and then prior to
sending the headers clear the buffer first just in case there are any CR/LF
characters from inline ASP above that piece of code. Or just make sure you
always put inline ASP code fully inline, eg.

<%
blah blah
%>
<%
more blah
write headers
write binary data
%>


will actually put a single CR/LF combination before the data, because there
is a CRLF outside of the ASP tags. The same can be written as


<%
blah blah
%><%
more blah
write headers
write binary data
%>

and not insert the CR/LF.

It's also worth checking this wherever you send out a DOCTYPE headers in
normal HTML, if the DOCTYPE isn't on the first line of the output then some
browsers will ignore it.

--
Dan

 
Reply With Quote
 
Bwig Zomberi
Guest
Posts: n/a
 
      06-03-2010
Dan wrote:
>
> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
> news:hu5ein$4qs$(E-Mail Removed)...
>> Dean g wrote:
>>> Damn, 2 out of 3 problems solved is still good.
>>>
>>> Thanks for the help guys, i just wish i knew why half the pdf
>>> files display garbage on the screen even though they are
>>> genuine pdf's. i guess thats a question for another group
>>> though.
>>>

>>
>> I had this problem with Opera. In a newer version, it got solved.
>>
>> Just ensure that you set the content type properly on the server-side
>> and you are not writing anything other than what is in the PDF to the
>> browser. To be sure that the entire ASP code is between one set of <%
>> and %>. Do not use nested code. Do not write any HTML or set any cookies.
>>
>> On the client side, ensure that Adobe Reader is installed properly and
>> plugins are available for all browsers.
>>
>> If the problems persist, then it is problem with the PDFs. You could
>> go to alt.txt.pdf. However, you will need to host the PDF and provide
>> a link so they can check it out.
>>
>>

>
> The other thing you can do is use Response.Buffer = true, and then prior
> to sending the headers clear the buffer first just in case there are any
> CR/LF characters from inline ASP above that piece of code. Or just make
> sure you always put inline ASP code fully inline, eg.
>
> <%
> blah blah
> %>
> <%
> more blah
> write headers
> write binary data
> %>
>
>
> will actually put a single CR/LF combination before the data, because
> there is a CRLF outside of the ASP tags. The same can be written as
>
>
> <%
> blah blah
> %><%
> more blah
> write headers
> write binary data
> %>
>
> and not insert the CR/LF.
>
> It's also worth checking this wherever you send out a DOCTYPE headers in
> normal HTML, if the DOCTYPE isn't on the first line of the output then
> some browsers will ignore it.
>



I think that if you use two sets of <% and %>, it adds a new line
character, which will totally wreck the PDF. It should be like

<%
clear
buffer
content type
header
binary write
flush
%>

No spaces before or after the delimiters.


--
Bwig Zomberi
 
Reply With Quote
 
Evertjan.
Guest
Posts: n/a
 
      06-03-2010
Bwig Zomberi wrote on 03 jun 2010 in
microsoft.public.inetserver.asp.general:

> I think that if you use two sets of <% and %>, it adds a new line
> character, which will totally wreck the PDF. It should be like
>
> <%
> clear
> buffer
> content type
> header
> binary write
> flush
> %>
>
> No spaces before or after the delimiters.


Use:
Response.Clear
....
Response.end

For years now
[last correction date of the inc file 21/5/2005]
I have succesfully used this:

function streamPdf(strFileName)
Response.Clear
strFilePath=server.mappath(strFilename)
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile strFilePath
Response.ContentType = "application/pdf"
Response.BinaryWrite objStream.Read
objStream.Close
Set objStream = Nothing
Response.end
end function

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      06-03-2010

"Bwig Zomberi" <(E-Mail Removed)> wrote in message
news:hu7fv9$tov$(E-Mail Removed)...
> Dan wrote:
>>
>> "Bwig Zomberi" <(E-Mail Removed)> wrote in message
>> news:hu5ein$4qs$(E-Mail Removed)...
>>> Dean g wrote:
>>>> Damn, 2 out of 3 problems solved is still good.
>>>>
>>>> Thanks for the help guys, i just wish i knew why half the pdf
>>>> files display garbage on the screen even though they are
>>>> genuine pdf's. i guess thats a question for another group
>>>> though.
>>>>
>>>
>>> I had this problem with Opera. In a newer version, it got solved.
>>>
>>> Just ensure that you set the content type properly on the server-side
>>> and you are not writing anything other than what is in the PDF to the
>>> browser. To be sure that the entire ASP code is between one set of <%
>>> and %>. Do not use nested code. Do not write any HTML or set any
>>> cookies.
>>>
>>> On the client side, ensure that Adobe Reader is installed properly and
>>> plugins are available for all browsers.
>>>
>>> If the problems persist, then it is problem with the PDFs. You could
>>> go to alt.txt.pdf. However, you will need to host the PDF and provide
>>> a link so they can check it out.
>>>
>>>

>>
>> The other thing you can do is use Response.Buffer = true, and then prior
>> to sending the headers clear the buffer first just in case there are any
>> CR/LF characters from inline ASP above that piece of code. Or just make
>> sure you always put inline ASP code fully inline, eg.
>>
>> <%
>> blah blah
>> %>
>> <%
>> more blah
>> write headers
>> write binary data
>> %>
>>
>>
>> will actually put a single CR/LF combination before the data, because
>> there is a CRLF outside of the ASP tags. The same can be written as
>>
>>
>> <%
>> blah blah
>> %><%
>> more blah
>> write headers
>> write binary data
>> %>
>>
>> and not insert the CR/LF.
>>
>> It's also worth checking this wherever you send out a DOCTYPE headers in
>> normal HTML, if the DOCTYPE isn't on the first line of the output then
>> some browsers will ignore it.
>>

>
>
> I think that if you use two sets of <% and %>, it adds a new line
> character, which will totally wreck the PDF. It should be like


Nope, only if you put a new line between the tags. Feel free to try it out -
I've already done so on IIS6 and there is no implied newline at tag
ends/starts.

<%
blah
blah
%><%
blah blah
%>

does not add a newline.

I often use includes too, so for instance will do things like

<%
blah blah
%><!-- #include file="file.asp" --><%
blah blah
output binary data
%>

and again there will be no newlines before the binary data.

--
Dan

 
Reply With Quote
 
Bwig Zomberi
Guest
Posts: n/a
 
      06-03-2010
Dan wrote:
> Nope, only if you put a new line between the tags. Feel free to try it
> out - I've already done so on IIS6 and there is no implied newline at
> tag ends/starts.
>
> <%
> blah
> blah
> %><%
> blah blah
> %>
>
> does not add a newline.



Your code does not add a new line. I usually put separate the <% %>
pairs for readability of the code. That adds a new line. The OP may be
doing the same in his code. He may not immediately see that you have
neatly avoided that pitfall by keeping it together

I have faced a similar problem with writing RSS feeds using ASP. The
first line of XML files should start with <?xml .... or something. My
regular code convention would break that.



--
Bwig Zomberi
 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      06-03-2010

"Bwig Zomberi" <(E-Mail Removed)> wrote in message
news:hu81aq$mss$(E-Mail Removed)...
> Dan wrote:
>> Nope, only if you put a new line between the tags. Feel free to try it
>> out - I've already done so on IIS6 and there is no implied newline at
>> tag ends/starts.
>>
>> <%
>> blah
>> blah
>> %><%
>> blah blah
>> %>
>>
>> does not add a newline.

>
>
> Your code does not add a new line. I usually put separate the <% %> pairs
> for readability of the code. That adds a new line. The OP may be doing the
> same in his code. He may not immediately see that you have neatly avoided
> that pitfall by keeping it together


I thought I'd made it clear enough in my earlier reply, and that you were
stating I was wrong, hence the above followup. If you look at my 2 examples
you can see the difference, and that was my point.

> I have faced a similar problem with writing RSS feeds using ASP. The first
> line of XML files should start with <?xml .... or something. My regular
> code convention would break that.


Ah, yes, RSS, that's another place I learnt to not put newlines outside of
code blocks ...

--
Dan

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent uploaded documents folder from search engine or unauthenticated access: bradley ASP .Net 1 06-08-2005 09:01 PM
Virus Scan for uploaded documents? Manish Jain ASP .Net Security 1 02-23-2005 02:04 PM
Securing Documents when getting repairs itsme Computer Security 6 10-11-2004 07:05 AM
Securing XML documents on a ASP.net site.... Johan Pingree ASP .Net 9 04-26-2004 07:56 PM
Virus-Scanning uploaded files uploaded? Matt G ASP .Net 1 08-22-2003 05:44 AM



Advertisments