In ASP, FileUp executes in a specific user context:
To allow uploads, the IUSR_MACHINENAME or authenticated user must have Read, Write, and Modify NTFS permissions for FileUp's physical temporary and destination folders.
| Read, Write, and Modify are NTFS permissions and are required for the physical destination folders only. These permissions are not required in IIS. |
An upload's destination folder is set in code by FileUp.Pathor FileUp.SaveAs. The temporary directory for an upload can be set in code by the property
FileUp.Path. If you do not
assign a value to FileUp.Path, uploads will be cached in the system's
default directory for cached files, which is determined by the system environment
variable TEMP.
To change the system's default directory for cached files, reset the TEMP environment variable, as follows:
If UseMemoryis set to
True, FileUp will not write temporary files and it is not necessary to set permissions
for a temporary directory.
|
| If the upload destination folder is a virtual directory, a malicious user may be able to upload an infected file to the directory and launch it through the Web. To prevent this, use a folder that is not a virtual directory as the upload destination location. |
In ASP.NET, if impersonation is disabled - as it is by default - FileUp executes in the context of the ASPNET account or an authenticated user account. To allow uploads, the ASPNET account or authenticated user must have Read, Write, and Modifypermissions for FileUp's temporary and destination folders.
| Read, Write, and Modify are NTFS permissions and are required for the physical destination folders only. These permissions are not required in IIS. |
An upload's destination folder is set in code by FileUp.Pathor FileUp.SaveAs. The temporary directory for an upload can be set in code by the property
FileUp.Path. If you do not
assign a value to FileUp.Path, uploads will be cached in the system's
default directory for cached files, which is determined by the system environment
variable TEMP.
To change the system's default directory for cached files, reset the TEMP environment variable, as follows:
If you enable impersonation, FileUp will execute in the IUSR_MACHINENAMEor authenticated user context and you can set permissions as you would for ASP. Under ASP.NET impersonation is controlled in the .NET configuration
file for your Web application - web.config or machine.config (For information about
these files, see Installing FileUp for ASP.NET.).
To enable impersonation, set impersonate to true in the
identity node of web.config or machine.config:
<identity impersonate="true" userName="" password=""/>The following is a sample web.config file with impersonate set to true:
<configuration> <system.web> <compilation numRecompilesBeforeAppRestart="15"/>
<compilers> </compilers> </compilation> <httpHandlers> <add
verb="*" path="*.uplx" type="System.Web.UI.PageHandlerFactory"/> </httpHandlers>
<httpModules> <add name="FileUpModule" type="SoftArtisans.Net.FileUpModule,FileUpModule,
Version=x.x.x.x, Culture=neutral,PublicKeyToken=f593502af6ee46ae"/> </httpModules>
<identity impersonate="true" userName="" password=""/> </system.web>
</configuration> If UseMemoryis set to
True, FileUp will not write temporary files and it is not necessary to set permissions
for a temporary directory.
|
| If the upload destination folder is a virtual directory, a malicious user may be able to upload an infected file to the directory and launch it through the Web. To prevent this, use a folder that is not a virtual directory as the upload destination location. |
FileUp's interceptors - the ISAPI filterand the HttpModule - cache request data before it is processed by ASP or ASP.NET.
The ISAPI filter and the HttpModule write to the hard drive as the local SYSTEM account, and can write to any directory on the server. The ISAPI filter/HttpModule temp directory must be on a local drive, not on a network shared drive, because the SYSTEM account does not have access to network drives.
The location of the temporary directory can be configured in the Windows registry. By default, the cache location is the system's default directory for cached files, which is determined by the system environment variable TEMP. To set a different ISAPI filter temp directory:
To set a different HttpModule temp directory:
To change the system's default directory for cached files, reset the TEMPenvironment variable, as follows:
|
Pathproperty
to set an appropriate temporary directory. FileUp needs a file cache to function.
If the Path property is not set, FileUp will use the default temporary
directory of the system.