Ive just tryed some things out with my new server today, and ive found a big flaw in what ive done in my MVC application.
So what happening in applikation is : people can access page and login, when people login , they can upload files in their own folder on a server. and then they can access them when they want. but the problem ive found is: people can see any folder they want if the enter right url. for example :
URl can be named like : testnameweb.com/Upload/testUserName/testfilename.png in this case the one who enters url, can see testfilename.png file. BUT, if same person enters : testnameweb.com/Upload/
they acan see any people folders and browse on server any way they want.
Any idea how to prevent this?
The first step would be to put those files into a folder which is not publicly accessible. For example App_Data
. Or a folder that's completely outside of the application root. Then you could organize your files into folders per user. So each user will have his own sub-folder. Then you could write a controller action to which you will only pass the filename and which based on the currently authenticated user will server the proper file.
[Authorize]
public ActionResult File(string filename)
{
string username = User.Identity.Name;
// now that you know the currently connected username and the filename
// go and find the corresponding file and stream it as a result
...
}
And to provide a link so that the currently connected user can browse a file:
@Html.ActionLink("Open foo.txt", "file", new { filename = "foo.txt" })
Assuming you have an UploadController which is converting the URL into a filename, validate that the logged in user has permission to view the file in that controller before displaying it.