Reputation: 46425
Where does an uploaded file in ASP.Net 2 go?
I'm building a portal that will allow users to upload files. I need to make sure that these files do not contain viruses. My ideal solution would be to have the host OS AV keep a watch on temporary folders and scan any incoming files.
When a file is uploaded in ASP.Net 2, does it get written to disk in a temp folder, or is it persisted in memory? If it is written to disk, will IIS lock it so that the AV cannot remove it? And if it is written to disk, where?
Upvotes: 9
Views: 6105
Answers (6)
Reputation: 10239
Here's the actual dirt on how ASP.NET handles files. It's version dependant, but 2.0 and all subsequent versions do write uploads to disk before you get a chance to handle them. The above answers are actually wrong -- ASP.NET above 2.0 will write the file to disk. If you think about it, loading an upload into memory opens you to a DDOS hole as large files would take up increasing amounts of server memory. By version, here's how ASP.NET acts:
ASP.NET 1.0 and 1.1 loaded the whole request in memory before you could access it. This meant that large files could potentially fill all memory, causing exceptions and otherwise bringing down the server.
ASP.NET 2.0 introduced a disk caching scheme for uploads, again snagging the upload and processing it before client code can handle it. The temporary folder can be accessed as follows:
string uploadFolder = Path.Combine(HttpRuntime.CodegenDirInternal, "uploads");
As of ASP.NET 4.0, the property name referenced above is HttpRuntime.CodegenDir:
string uploadFolder = Path.Combine(HttpRuntime.CodegenDir, "uploads");
At least now it's cached to disk so you don't have the memory issues from 1.0 and 1.1, but you still can't access it until it's been fully retrieved.
Upvotes: 10
Reputation: 19334
For your scenario... I usually have an appsetting for any upload/temp location, with a default under ~/App_Data/Uploads/ It shouldn't be visible to the AV until the bytes are persisted to disk. If you really want active scanning, then you may wish to have a multi-stage queue... (also, you will want to do an Async request in ASP.Net), if you wait for any scan to complete.
- You push the item into a queue to check in say 30 seconds (enough time for the AV scanner)
- You save the file to an Upload directory (that gets checked)
- You have another service check against the queue, and mark it as complete/processed if it still exists in 30 seconds
- Your UI will check the queue every 10 seconds to see if it's done, then present that to the user.
I would consider white-listing your upload path with your native scanner, and see if there's an API exposed to run a manual scan on-request. An alternative would be to use ClamAV/ClamWin setup as a service scanner, you can run updates on it every hour (I've done this for mail systems), and it tends to be fairly decent with file signatures, even in archive files (if configured properly).
Also, you may wish to use 7z.exe (7-zip command line) to extract any archives. 7-zip can extract just about every archive type I've seen, even though it only supports a couple of compression targets for new archives.
Hopefully this helps as I was going to append this as a comment to another post, but it was getting lengthy.
Upvotes: 1
Reputation: 51
If you're serious about security, another related tip is to make certain the folder that you're saving files to is above the webroot so users cannot directly access it in any way. You can still give them the ability to delete their uploaded files with some database work, i.e. save the location and make sure each file is uniquely named (if the users are authenticating I just save the filename as USERNAME.XYZ where XYZ is the file's extension.
Upvotes: 1
Reputation: 20780
Just like Cerebrus I will tell you that the UploadFile control will NOT write anything to the disk drive unless you tell it to.
Upvotes: 0
Reputation: 25775
I think the ideal way would be have an "Incoming" folder that has been given the necessary permissions for ASP.NET to save files. I have never encountered a situation where files remain locked even after you call SaveAs on the FileUpload control.
Note that the FileUpload control does not upload the file until you call SaveAs and this is when the file is persisted to disk on the server. It seems to hold all file contents in an HttpInputStream, which is written to disk when the SaveAs method is called.
The file(s) should then be free to be scanned by your AV application. In case an error occurs, you can give relevant feedback to the user.
Upvotes: 8
Reputation: 2103
Are you using the ASP FileUpload server control?
If so it is loaded into the servers memory until you do something with it.
This is from MSDN;
There is no inherent limitation on where you can save uploaded files. However, to save the file, the ASP.NET process must have permission to create files in the location that you specify. In addition, your application might be configured to require an absolute path (not a relative path) for saving the file, which is a security measure.
Upvotes: 3
Related Questions
- Where to store uploaded files?
- FileUpload in ASP.NET, what is the path of the uploaded file.
- Where does ASP.NET 5 / MVC6 store uploaded files?
- Asp.net uploading file
- Where is an uploaded file prior to saving it when using the Asp.Net FileUpload control?
- How does HTTP file upload work internally in IIS?
- Where does IIS save a file when it is uploaded?
- ASP.NET FileUpload
- What is the life cycle of an ASP.NET file upload on code behind?
- Asp.Net 2.0 File upload