All geek questions in one place

ASP.NET FileUpload Control - security issues when buffering to disk

MSDN states that when downloading a file using the ASP.NET Fileupload control (v.2.0) or the HttpPostedFile base file, which "Files are downloaded in the MIME format multipart / form-data. By default, all requests, including the form of the field and the downloaded files more than 256 KB in size are buffered to disk and not stored in server memory. " MSDN Link

Does anyone know where on disk it is buffered and when this buffer is cleared / deleted, i.e. when does the request end and what happens in the event of an error or unexpected scenario when the request does not end gracefully?

I am concerned that if the application is able to send confidential information (CC data, personal data, etc.), this file will be buffered on disk and potentially not deleted at the end of the request. Will this be a problem on a shared host, that is, can this buffer be accessible from outside the application?

Maybe I didn’t understand something, but any advice / understanding / help would be greatly appreciated, thanks.

+3
source share
2 answers

OK, I managed to find the answers to the questions above, so I'm just going to stick to them here if this helps someone else.

By default (in the machine.config file) parameters for loading / requesting files in general

4mb 256 , , . web.config httpRuntime.

<httpRuntime maxRequestLength="8192" requestLengthDiskThreshold="512" />

8 512 .

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ ASP.NET\[APP_NAME]\[SOME_HEX_NAME_DIR]\[SOME_HEX_NAME_DIR]\uploads\

[unique_name] _post.tmp, , - , .

( IIS, , ), tmp .

, , , , , .

+7

, - :

MSDN: " RequestLengthDiskThreshold - . MaxRequestLength . , ."

, maxRequestLength , requestLengthDiskThreshold (, kB ), .

, , , .

.

<httpRuntime maxRequestLength="256" requestLengthDiskThreshold="262144"></httpRuntime>
0

Source: https://habr.com/ru/post/1703931/

More articles:


All Articles