locked
Secure files upload in ASP.NET Core RRS feed

  • Question

  • User192755008 posted

    Hello. I was going through  MS docs (link below) on file uploading and got interested in these 2 recommendations. 

    Upload files in ASP.NET Core | Microsoft Docs

    1. The app's process must have read and write permissions to the storage location. Never grant execute permission.

    Could you please share some code examples on how exactly I can manage permissions in my asp.net core app . 

    2. Upload files to a dedicated file upload area, preferably to a non-system drive. A dedicated location makes it easier to impose security restrictions on uploaded files. Disable execute permissions on the file upload location

    This is more of Windows server questions ...  but still any idea how exactly I can disable execute permissions on the file upload location ? 

    Thanks

    Tuesday, May 18, 2021 6:30 PM

Answers

  • User-939850651 posted

    Hi dotNETaspirant,

    1. The app's process must have read and write permissions to the storage location. Never grant execute permission.

    Could you please share some code examples on how exactly I can manage permissions in my asp.net core app . 

    2. Upload files to a dedicated file upload area, preferably to a non-system drive. A dedicated location makes it easier to impose security restrictions on uploaded files. Disable execute permissions on the file upload location

    This is more of Windows server questions ...  but still any idea how exactly I can disable execute permissions on the file upload location ? 

    Whether an app process has excute permissions is not set by code.

    The application in IIS uses the permissions of Application Identity, so you need to confirm that the access permissions of the resources are granted to the ASP.NET request identity.

    Right click on downloading folder > Properties > Security Tab > Edit , and then modify or add the operation permissions, such as read, write, or execute according to requirements.

    For more details, please refer to this document below:

    https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

    Best regards,

    Xudong Peng

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, May 19, 2021 8:58 AM