I have a silverlight application that retrieves a file from Amazon s3. At this point I am using a SaveFileDialog to save it to disk.
I am looking for a better way of saving the file.I have looked into and implemented Isolated storage but ultimately decided to not use it because of all the restrictions.
Also, silverlight restricts saving a file outside isolated storage without the save file dialog, so I cannot save a file and then pass the file path to the browser. so this is not possible
HtmlPage.Window.Navigate(urlToFile, "_blank");
What are the options I have left now to pass this stream to a browser?
There is a feature in silverlight 4 where you can run it out of the browser. In this mode you have elevated permissions. The one that would be of most interest to you is
File system access. Trusted applications can access System.IO types
and related types that are otherwise unavailable to Silverlight. These
APIs provide direct read and write access to files in user folders on
the local computer. For more information, see How to: Access the Local
File System in Trusted Applications.
Outside of this, there is no other way to save a file to the users desktop without using the SaveFileDialog
Related
I know that there are many posts about these topic. But those posts usually talk about restricting the file types and sizes on so on. Hence non serves to my needs as my system does not have any constraints.
Let's say we have a web application, which accepts uploads from users logged in. These users are authenticated via Active Directory. Anonymous users are not allowed.
Users can upload any type of file to the system. Then users can preview the files uploaded via our multi purpose viewer. Right now we support some basic file types, like pictures, music, video, pdf files and office files. I decide for viewable types by checking a dictionary for viewable types, and if the type don't exist it won't be previewed but downloaded directly.
I am curious about the security risks I have, hence I will try to elaborate my system.
I have two different systems in terms of file keeping procedure:
An internet application where the storage is a structured file system where file names are changed with guids
An intranet application where the storage is an unstructured file system where files are directly on the network drive as the user uploaded them, and users can access the files via network drive too
For both applications the previewing strategy is the same.
All files are served from an action method which can only be accessed while authenticated. And logical path traversal for the uploaded files are allowed.
The non-office files are returned to the client, and shown in img, video and embed html tags.
On the other hand, the office files are first executed via interop libraries of the Microsoft Office, converted to pdf, then returned to the client, and again showed as a regular pdf.
I am wondering, through these processes am I compromising any security here on the server side? I know that user can upload malicious files, but is there any way user can harm my system upon writing or reading process of the files?
Update: I am scanning the file after I've taken it into the temp area by an antivirus. Then if it's ok, committing it into the premamant area.
I developing a web application using ASP.NET. The users can download an excel template from the site. Now, i want to check the integrity of the file to check whether the file is the same as that on server and it is not corrupted. I can get md5 hashcodes for the file on the server by identifying the path using server.mappath() method but how can i get the location of the downloaded file to generate and check the hashcodes.
how can i get the location of the downloaded file to generate and
check the hashcodes.
You can't. (and thats a good thing). Also, you shouldn't.
You can't access client's system resources through browser. You may use ActiveX (or others browser/OS specific) to do something like that but a better option would be to just provide the hash with each download and let the user verify the file integrity.
In a WebMatrix web site, where User Profiles are dynamically generated from the Database, where and how should I store user uploaded content?
I don't want this content to be publicly viewable unless the user has chosen make their profile, and uploaded content Publicly viewable.
But I can't just shove it all in a separate directory, since all you need to do is guess the location where such content is stored, and then browse the list of files in that dir. So, should I place it outside my \root directory (I don't think this is possible in some Shared hosting environments), or should I somehow insert this content into a database? (I'm trying to avoid this option as best as I can).
For content like Images and Videos, I was thinking that I should use a trusted Storage provider / image host type service where I would have API access used to store and retrieve these files, and then just store a link to the file uploaded to the file storage host in my database?
You could either
Store the extra files along the other user details in the database. (you probably want to discuss this with the db admins before implementing your storage like this)
Put the files on a fileshare your ASP.NET application has access to but that is not accessible from the web.
Turn of directory browsing and put the files there. "everyone" can't browse all files but it does mean that anyone that has a direct link can download that file without being logged in.
I would go with option 2: Put the files in a directory not directly accessible from the web and channel all downloads through your web app so that you control who can download what.
I have a WebForm application that generates a Crystal Report and streams it to the browser as a PDF.
My users would like the app (well, the Browser I suppose!) to always prompt them where to save the file (a network path) and then store that path (probalby in the SQL table that stores their profile info) and always use that path as the default on subsequent attempts.
I am pretty sure I know how to force the browser (IE) to always prompt them where to save the PDF or open it, and I can name the file (attachment), but how can I automatically populate that dialog box that appears (when thy choose to save the file) with a path? Is there some other way I can accomplish this (use a different mime type or something?)?
I suppose instead of streaming the file back, I can just prompt them for where they want to save and (with elevated permissions on the App Pool Identity) save it out to that path from the server. Since this is an Intranet application, the App Pool does already have some elevated permissions, because it must check certain network paths to see if files exist (it is also a Change/Revision app for CAD Math Data files).
How would you handle it?
You absolutely can not force the web browser to choose any particular location by default to save files, without third-party plugins (most of which I hope would also similarly prevent this sort of thing, which could be used for Evil)
So, if the server has access over the Intranet, that's how you'll have to do it.
I would like to upload file from the client to the server with a Front End in SilverLight.
My problem is that the file is NOT in the isolation storage (that would be easy!).
The application in few word require to upload images from the user computer similar to the file uploaded FaceBook, (the Java version).
Is there a way to grant permission from the user OR a trick that I might not know to be able to upload files?
Thank you
*I do not want to use the Open File Dialog.
If you don't want to use the open file dialog, then I would say that there are no way, if there were, it would be a bug - a security hole in the sandbox.