i have a handler for download files like below :
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.IO;
using NiceFileExplorer.Classes;
namespace NiceFileExplorer
{
/// <summary>
/// Summary description for HandlerForMyFE
/// </summary>
public class HandlerForMyFE : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
private HttpContext _context;
private HttpContext Context
{
get
{
return _context;
}
set
{
_context = value;
}
}
public void ProcessRequest(HttpContext context)
{
Context = context;
string filePath = context.Request.QueryString["Downloadpath"];
filePath = context.Server.MapPath(filePath);
if (filePath == null)
{
return;
}
System.IO.StreamReader streamReader = new System.IO.StreamReader(filePath);
System.IO.BinaryReader binaryReader = new System.IO.BinaryReader(streamReader.BaseStream);
byte[] bytes = new byte[streamReader.BaseStream.Length];
binaryReader.Read(bytes, 0, (int)streamReader.BaseStream.Length);
if (bytes == null)
{
return;
}
streamReader.Close();
binaryReader.Close();
string fileName = System.IO.Path.GetFileName(filePath);
string MimeType = GetMimeType(fileName);
string extension = System.IO.Path.GetExtension(filePath);
char[] extension_ar = extension.ToCharArray();
string extension_Without_dot = string.Empty;
for (int i = 1; i < extension_ar.Length; i++)
{
extension_Without_dot += extension_ar[i];
}
string filesize = string.Empty;
FileInfo f = new FileInfo(filePath);
filesize = f.Length.ToString();
if (HttpContext.Current.Session["User_ID"] != null)
{
WriteFile(bytes, fileName, filesize, MimeType + " " + extension_Without_dot, context.Response);
}
}
private void WriteFile(byte[] content, string fileName, string filesize, string contentType, HttpResponse response)
{
response.Buffer = true;
response.Clear();
response.ContentType = contentType;
response.AddHeader("content-disposition", "attachment; filename=" + fileName);
response.AddHeader("Content-Length", filesize);
response.BinaryWrite(content);
response.Flush();
response.End();
}
private string GetMimeType(string fileName)
{
string mimeType = "application/unknown";
string ext = System.IO.Path.GetExtension(fileName).ToLower();
Microsoft.Win32.RegistryKey regKey = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey(ext);
if (regKey != null && regKey.GetValue("Content Type") != null)
mimeType = regKey.GetValue("Content Type").ToString();
return mimeType;
}
public bool IsReusable
{
get
{
return false;
}
}
}
}
the important part of this handler is WriteFile And It works perfect!
i call this handler for download a file from code behind like below :
Response.Redirect("~/Handler.ashx?Downloadpath=" + HttpUtility.UrlEncode(DownloadPath));
one of my download links in my web site is like below :
http://localhost:5410/en/Download.aspx?Downloadpath=%2fFiles%2f%2fsamsung%2fGE2550_DEFAULT_MDL_V002.exe
so, i can contorl my download links easily by that handler!
my problem is when some body changes that link to :
http://localhost:5410/Files/samsung/GE2550_DEFAULT_MDL_V002.exe
can download that file directly without that handler!
how can i prevent this direct download?
thanks in advance
First, putting the actual physical path to the file into the querystring is not really a good idea. Gives a bit too much information to the public, and opens you to security issues with people putting unexpected paths into the url to try and download other files.
With that said, regarding you problem above, you should either put your Files folder outside of the web root so that it is inaccessible from the browser, or setup IIS so that no one is allowed access to that folder (and subfolders). As long as the account that ASP.NET runs under has permissions to the folder, you will still be able to open the file in your code and write it to the response, regardless of whether it’s visible through IIS.