This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming .Net/C # (Security).NET/C# prevents cross-directory access to downloads
View: 49598|Reply: 0

[Source] (Security).NET/C# prevents cross-directory access to downloads

[Copy link]
Posted on 2021-4-7 11:57:38 | | | |
Scenario: There is an API interface, which receives path parameters, completes the file path through certain rules, and then responds to download to the user.

Request:
GET /download_page?id=content.dat HTTP/1.1

Request:
GET /download_page?id=.. %2f.. %2fweb.config HTTP/1.1(This downloads the server's web.config file

Suppose D:\storage\123 is the root directory of the store, and all stored files are in that directory, when the user adds the path to : . symbol can be crossed under the previous directory, and the url parameter is passed by: /.. / Easy access to sensitive resources and downloads.

solution

Let's take a look at the renderings first:



The code is as follows:







Previous:MD5 online decryption website commonly used at home and abroad
Next:The difference between /bin/false and /sbin/nologin, which prohibits users from logging in

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com