security problem with a FileUpload

[destroyhead]

Hi,
Here is my very simple program :

Code behind :

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.IO;

public partial class _Default : System.Web.UI.Page

{

protected void Page_Load(object sender, EventArgs e)
{
DirectoryInfo theFolder = new DirectoryInfo(@"C:\temp\Server_Attachments\6");
string Attachment = "";
foreach (FileInfo nextFile in theFolder.GetFiles())
{
Attachment += "<a href=\"C:\\temp\\Server_Attachments\\6\\blabla.xls\">" + nextFile.ToString() + "</a><br />";
div1.InnerHtml = Attachment;
}
}

protected void Attach_File(object sender, EventArgs e)
{
FileUpload1.SaveAs(@"C:\Server_Attachments\6");
}
}



HTML :

<div id="div1" runat="server"></div>

<asp:Label ID="Label1" runat="server" Text=" Attach a file : "></asp:Label><br />

<asp:FileUpload ID="FileUpload1" runat="server" Font-Names="Tahoma" Font-Size="Small" /><br />

<asp:Button ID="Button2" runat="server" Text=" Attach " Font-Names="Tahoma" Font-Size="Small" OnClick="Attach_File" />



Neither the hyperlinks, neither the upload are working

- when I am clicking on the hyperlinks nothing is happening (although "Save target as" is working).

- when I am trying to upload, I have got the error "Access to the path 'C:\Server_Attachments\6' is denied."

On the server :
It is obviously a security issue. I have checked which account was running the program and it is NETWORK SERVICE.

On my laptop :
I have run my program on my laptop and still got the same error. It means that with the "pseudo" web server enhanced in VS2005, the same problem occurs ("Access to the path X is denied").
I have used System.Security.Principal.WindowsIdentity.GetCurrent().Name to check who was running the program and it is me. I have got administrator's rights on my workstation. I can copy a file in this folder on my own but not via ASP.NET.

Any idea how to fix this problem (options in Visual Studio?)?

Thanks very much for any help.

Olivier

 

[florens]

I've had the same problem as you did, for me the solution was to add another user to the target folder. This should be user ASPNET, give it write permissions (might wanna try with full access first) and try again.
You can add this user in windows by browsing to the folder, selecting properties -> security. And manualy add the new user there. Be sure to have DEselected 'use simple fileshare' (or something similar, my Windows is not in English) in 'extra -> folder options'.
Hope this helps.

 

[ca8msm]

The first of your problems (why you can't save the files from the hyperlinks) is because you have put a reference to the local hard drive. So, when you click the hyperlink, it tries to locate the file on your computer rather than from the server. In the example you have used above, you should have said:

Attachment += "<a href=\"[URL unfurl="true"]http://servername/files/">"[/URL] + nextFile.ToString() + "</a><br />";

You are right that your second problem is a security issue. Have you granted rights to the Network Service account to be able to write to that folder?


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[destroyhead]

Thanks florens,
It does not work.
I am working inside a domain where the ASPNET account does not exist.
So I can not add it to the folder's users.
Thanks!

 

[destroyhead]

Thanks ca8msm,

When I am trying to execute this :

protected void Page_Load(object sender, EventArgs e)
{
DirectoryInfo theFolder = new DirectoryInfo(@"

http://myserver/C$/TEMP/Server_Attachments/6/");

string Attachment = "";
foreach (FileInfo nextFile in theFolder.GetFiles())
{
Attachment += "<a href=\"

http://myserver/C$/TEMP/Server_Attachments/6/"

+ nextFile.ToString() + "\">" + nextFile.ToString() + "</a><br />";
div1.InnerHtml = Attachment;
}
}

protected void Attach_File(object sender, EventArgs e)
{
FileUpload1.SaveAs(@"

http://myserver/C$/TEMP/Server_Attachments/6/");

}

I have got the error : "URI formats are not supported." for the first line of the Page_Load.

Thanks!

 

[ca8msm]

The first line of the page load should remain as it is (in my example I didn't mention to change that line, I only said to change the "attachments" line).

Also, in the attachments line you don't need to include the C$. You just need to reference the virtual directory like I did in my example.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[destroyhead]

Thanks ca8msm!

Now the hyperlinks are working.

Here is my code if someone needs it :

protected void Page_Load(object sender, EventArgs e)
{
DirectoryInfo theFolder = new DirectoryInfo(@"\\myserver\myvirtualdirectory");
string Attachment = "";
foreach (FileInfo nextFile in theFolder.GetFiles())
{
Attachment += "<a href=\"\\\\myserver\\myvirtualdirectory\\" + nextFile.ToString() + "\">" + nextFile.ToString() + "</a><br />";
div1.InnerHtml = Attachment;
}
}

protected void Attach_File(object sender, EventArgs e)
{
FileUpload1.SaveAs(@"\\myserver\myvirtualdirectory");
}

But the FileUpload is still not working ("Access to the path \\myserver\myvirtualdirectory\ is denied").

Has anyone got any idea?

Many thanks.

Olivier

 

[ca8msm]

Again, that's another line that you have changed when I haven't mentioned to change it. Re-read my post and answer the question I asked.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[destroyhead]

Re-
The path to the directory I want to upload a file is
"\\myserver\myvirtualdirectory" with
"myvirtualdirectory" like this :
"X\Y\Z".
NETWORK SERVICE has Full Control on the folders Y and Z but not X (the user NETWORK SERVICE does not exist as an X's user).
Thanks for your help.
Olivier