Home > Archive > ASP .NET > April 2004 > Protect bin folder from direct download
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Protect bin folder from direct download
|
|
| Pavils Jurjans 2004-04-29, 8:54 pm |
| Hello,
My ASP.NET hoster has made a separate folder in my hosting space and
configured it as separate application in IIS. Further, I created "bin"
folder in this directory, and put in my aspx pages that all use code-behind.
All works fine, but I was dismayed finding out that is is possible to write
direct URL to an assembly in the bin folder, and IIS would allow to download
pure code. That's somewhat very worg, isn't it?
What should I tell my hoster to do inorder to fix this? Actually I was
expecting that IIS6 handles this automatically and makes the bin folder
accessible only to CLI, and does not expose it's contents to http requests.
Thanks,
Pavils
| |
| George Ter-Saakov 2004-04-29, 8:55 pm |
| Actually this is your hoster fault.
In IIS Managment Console they should revoke read permissions from this
folder. So IIS will not serve any file to the browser from that folder.
Those permissions are given only through IIS Managment Console.
Do not mistake them with file "read" permission to IIS account or ASP.NET
account.
IIS must be able to read the DLL and load it into the memory.
George.
"Pavils Jurjans" <pavils@mailbox.riga.lv> wrote in message
news:%23OMTgeeLEHA.2100@TK2MSFTNGP10.phx.gbl...
> Hello,
>
> My ASP.NET hoster has made a separate folder in my hosting space and
> configured it as separate application in IIS. Further, I created "bin"
> folder in this directory, and put in my aspx pages that all use
code-behind.
> All works fine, but I was dismayed finding out that is is possible to
write
> direct URL to an assembly in the bin folder, and IIS would allow to
download
> pure code. That's somewhat very worg, isn't it?
>
> What should I tell my hoster to do inorder to fix this? Actually I was
> expecting that IIS6 handles this automatically and makes the bin folder
> accessible only to CLI, and does not expose it's contents to http
requests.
>
> Thanks,
>
> Pavils
>
>
|
|
|
|
|