0

I want to block users run specific extensions in an upload folder (/assets/public/) of a web application. Users can upload image files which are also re-sized during the upload. But for more security I want to deny scripts like aspx, asp, php...

I have current code which blocks every extension but I want to allow extensions like .jpg:

<location path="assets/public">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>
<system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>

Also users do not have FTP access and application is pre-compiled.

HasanG
  • 12,734
  • 29
  • 100
  • 154

2 Answers2

0

Try

<httpModules>
    <clear />
</httpModules>

or

<location path="." inheritInChildApplications="false">
</location>
abatishchev
  • 98,240
  • 88
  • 296
  • 433
  • "An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode." error after first option and second one not working. – HasanG Apr 10 '11 at 19:48
  • @Hasan: See [this qeestion](http://stackoverflow.com/questions/4209999/an-asp-net-setting-has-been-detected-that-does-not-apply-in-integrated-managed-pi) regarding the first issue – abatishchev Apr 10 '11 at 19:51
-2

Here is how I solved this with global.asax and routing. Just added these rules:

routes.MapPageRoute("any", "assets/public/{file}.{ext}", "~/e/404.aspx");
routes.MapPageRoute("any-sub","assets/public/{sub}/{file}.{ext}","~/e/404.aspx");

routes.Ignore("{any}.jpg");
routes.Ignore("{any}.png");
routes.Ignore("{any}.gif");
routes.Ignore("{any}.pdf");
HasanG
  • 12,734
  • 29
  • 100
  • 154