Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASP Serving Files

Status
Not open for further replies.
nsanto17

nsanto17

IS-IT--Management
Mar 14, 2005
616
US
I have a created a site using the ASP/VB. All of my pages are secure but i just realized that all my DOCS and PDF files are not secure. Anyone who knows the path can just type in the path and access my files.

Someone had recomended serving files though a script insated of through direct links. I am not sure how to do this. can anyone point me in the right direction.

Thanks

Nick
 
Sort by date Sort by votes
1. Make two new folders in your web app:
\downloads
\secret

2. Move all of your static content files into the \secret folder.

3. Change all of the links to these files to the \downloads folder.

4. Leave the \downloads folder empty so that all the links cause the 404 error.

5. Make a custom 404 ASP for the \downloads folder. The logic:
a. Determine name of requested file (Request.ServerVariables)
b. Determine if user has permission to fetch the file (your existing security)
c. Send file to user


That last step 5c can be accomplished by using the Open, LoadFromFile, and Read methods of ADODB.Stream and Response.BinaryWrite.

 
Upvote 0 Downvote
Could you show me some sample code... I am a little unsure on your method...
 
Upvote 0 Downvote
First make your two new subfolders \downloads and \secret

Next copy the following code into a new ASP in the \downloads folder
Code: 
<%
dim foo
for each foo in request.servervariables
  response.write foo & " = " & request.servervariables(foo) & "<br>" & vbCrLf
next
%>

Now use the IIS Administration tool to set the new ASP above to be a custom 404 for \downloads by right-clicking on the downloads, click Properties to bring up the tabbed dialog box, switch to the Custom Errors tab, scroll down and select 404, click the edit button and set the file path to your new \downloads\404.asp file.


To be sure this worked, open a browser, go to your site, and try to get a non-existant file from the downloads folder by typing something in the browser address bar like this: [tt]www.yoursite.com/downloads/FakeFile.doc[/tt]

This should bring up your new custom 404 which is currently just a dump of the Request.ServerVariables collection.

I don't recall the item in the collection that contains the name of the requested file, but it will be in the list displayed by your new custom 404. For now lets just suppose the filename is the last value in QUERY_STRING. So we can use the string parsing functions to extract the filename... so edit the new 404 page and append something like:[tt]
Dim LastSlashPos, FileName
LastSlashPos = InStrRev(Request.ServerVariables("QUERY_STRING"), "/")
FileName = Mid(Request.ServerVariables("QUERY_STRING"), LastSlashPos + 1)
Response.Write "<br><br>The requested file was: " & FileName
[/tt]

Save it and then click refresh in the browser to that you again request [tt]www.yoursite.com/downloads/FakeFile.doc[/tt] and you again get the 404 error. This time the filename should be at the bottom of your 404 message.

Now, to determine if the user has permission to fetch the file, use whatever method you use elsewhere in your application for determining access to ASP files. Add this logic to your new custom 404.

Next thing to do is get the physical path to you \secret folder. Assuming that the \secret folder is in the same folder as the \downloads folder, you can do this:
[tt]
Dim SecretFilePath
SecretFilePath = Server.MapPath(".") & "\secret\" & FileName
Response.Write "The physical path to the secret file is: " & SecretFilePath & "<BR>"
[/tt]



Finally, to send the file to the user, comment out all of the lines that use Response.Write so that no extra text is sent to the browser. Then add:[tt]
Dim objStream
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile SecretFilePath
Response.BinaryWrite objStream.Read
Set objStream = Nothing
[/tt]

Substantively thats about all there is to it. You'll want to add something that is displayed when the request file is truely not found. You could either trap the error generated by objStream.LoadFromFile or, perhaps cleaner would be to use the FileExists method of the Scripting.FileSystemObject before even attempting to open the file... anyway you should add some 404 File Not Found text to return to the browser when the file is truely not found.


PS: If the browser chokes on the MIME type of the downloaded file you might want to set [tt]Response.ContentType[/tt] immediately before the call to .BinaryWrite
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
write HTML code within ASP line
Replies
1
Views
280
xwb
xwb
leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
259
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
211
penguinspeaks
penguinspeaks
how2trainyourdragon
  • Locked
  • Question
Request.Server variables blank for classic ASP
Replies
12
Views
508
GriffMG
GriffMG
Swi
  • Locked
  • Question
JQUERY AJAX POST and how to receive data via Classic ASP
Replies
0
Views
294
Swi
Swi

Part and Inventory Search

Sponsor

Back
Top