我有下载文件的处理程序,如下所示:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.IO;
using NiceFileExplorer.Classes;
namespace NiceFileExplorer
{
/// <summary>
/// Summary description for HandlerForMyFE
/// </summary>
public class HandlerForMyFE : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
private HttpContext _context;
private HttpContext Context
{
get
{
return _context;
}
set
{
_context = value;
}
}
public void ProcessRequest(HttpContext context)
{
Context = context;
string filePath = context.Request.QueryString["Downloadpath"];
filePath = context.Server.MapPath(filePath);
if (filePath == null)
{
return;
}
System.IO.StreamReader streamReader = new System.IO.StreamReader(filePath);
System.IO.BinaryReader binaryReader = new System.IO.BinaryReader(streamReader.BaseStream);
byte[] bytes = new byte[streamReader.BaseStream.Length];
binaryReader.Read(bytes, 0, (int)streamReader.BaseStream.Length);
if (bytes == null)
{
return;
}
streamReader.Close();
binaryReader.Close();
string fileName = System.IO.Path.GetFileName(filePath);
string MimeType = GetMimeType(fileName);
string extension = System.IO.Path.GetExtension(filePath);
char[] extension_ar = extension.ToCharArray();
string extension_Without_dot = string.Empty;
for (int i = 1; i < extension_ar.Length; i++)
{
extension_Without_dot += extension_ar[i];
}
string filesize = string.Empty;
FileInfo f = new FileInfo(filePath);
filesize = f.Length.ToString();
if (HttpContext.Current.Session["User_ID"] != null)
{
WriteFile(bytes, fileName, filesize, MimeType + " " + extension_Without_dot, context.Response);
}
}
private void WriteFile(byte[] content, string fileName, string filesize, string contentType, HttpResponse response)
{
response.Buffer = true;
response.Clear();
response.ContentType = contentType;
response.AddHeader("content-disposition", "attachment; filename=" + fileName);
response.AddHeader("Content-Length", filesize);
response.BinaryWrite(content);
response.Flush();
response.End();
}
private string GetMimeType(string fileName)
{
string mimeType = "application/unknown";
string ext = System.IO.Path.GetExtension(fileName).ToLower();
Microsoft.Win32.RegistryKey regKey = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey(ext);
if (regKey != null && regKey.GetValue("Content Type") != null)
mimeType = regKey.GetValue("Content Type").ToString();
return mimeType;
}
public bool IsReusable
{
get
{
return false;
}
}
}
}
这个处理程序的重要部分是WriteFile,它完美无缺! 我称这个处理程序从后面的代码下载文件,如下所示:
Response.Redirect("~/Handler.ashx?Downloadpath=" + HttpUtility.UrlEncode(DownloadPath));
我网站上的一个下载链接如下:
http://localhost:5410/en/Download.aspx?Downloadpath=%2fFiles%2f%2fsamsung%2fGE2550_DEFAULT_MDL_V002.exe
所以,我可以通过该处理程序轻松控制我的下载链接!
我的问题是当某些身体发生变化时链接到:
http://localhost:5410/Files/samsung/GE2550_DEFAULT_MDL_V002.exe
can download that file directly without that handler!
我该如何阻止这种直接下载?
提前致谢
答案 0 :(得分:1)
首先,将文件的实际物理路径放入查询字符串并不是一个好主意。向公众提供一些过多的信息,并向您提供安全问题,让人们在网址中插入意外路径以尝试下载其他文件。
话虽如此,关于上述问题,您应该将您的Files文件夹放在Web根目录之外,以便浏览器无法访问它,或者设置IIS以便不允许任何人访问该文件夹(和子文件夹) 。只要运行ASP.NET的帐户具有该文件夹的权限,您仍然可以在代码中打开该文件并将其写入响应,无论它是否通过IIS可见。