[thelist] security on the server

Warden, Matt mwarden at mattwarden.com
Wed Jul 18 10:33:02 CDT 2001 


On Wed, 18 Jul 2001, Peter Kaulback wrote:

>In the wee hour of 03:10 PM 7/12/01 -0400, Warden, Matt bequeathed such 
>tales as these:
>>User:
>>-Logs in.
>>-Clicks a File.
>>-File downloads and could automatically open in the default viewer (like
>>Acrobat's PDF Viewer) for that content type.
>>-optionally enters his/her key to decrypt the file
>>
>>Developer:
>>Quite simple. Just write a script that queries the database for all files
>>located on that server owned by the logged in user. The files will be below
>>the site root and stored in the database as an absolute physical path (like
>>D:\SecuredContent\joesfile.pdf). The script would read that pdf into a
>>variable, set the HTTP header Content-Type to the appropriate string for
>>PDFs, and send that variable's contents to the browser (optionally over a
>>SSL connection).
>
>Matt, would one have to design the entire site in ASP or could one just 
>embed the ASP script into the html?

I'm not exactly sure what you're asking. ASP can be embedded into
HTML. It's not like a CGI script. Now, the whole site doesn't need to be
in ASP, just the script that handles the transfer of the PDFs does (or any
other scripting language available to you that has filesystem access).

For more information on filesystem access in ASP, see:
<wrap>
http://msdn.microsoft.com/scripting/default.htm?/scripting/vbscript/doc/jsFSOTutor.htm
</wrap>

>I've not done entire pages in ASP but I 
>have to explore server sides and there's no time like the present.  What 
>you describe is exactly what's required and PGP is definitely overkill at 
>this juncture.

I agree. Since you're trying to learn this stuff (and I'm lazy), I'll just
give you a layout of how I would do this script (rather than shove a
solution down your throat, with no discovery on your part):


<%@EnableSessionState=False%>

<%
Response.Expires=0
%>

<!--#include virtual="/includes/f_sc_checkLogin.asp"-->

<%
' if you're wondering...
' includes that are functions/subs start with f_
' includes that end up calling its contained function
' at the end are then followed by sc_ (self-calling)

' usually my checkLogin.asp function will redirect to login.asp
' if the user isn't already logged in, so...


' if they get to this point, they are authorized to view this content



SUB ListFiles(p_sFolder)
	' use the FSO object to get a folder object located at p_sFolder
	' iterate through the files
	' print out the following for each file (modify as necessary):
		' <a href="thispage.asp?f=FILENAME">FILENAME</a>
	' where FILENAME is the name of that file and
	' thispage.asp is the name of the current script
	' (you can get this valud from
	' Request.ServerVariables("SCRIPT_NAME")
END SUB


SUB ShowFile(p_sFileName, p_sFolder)

	' use the FSO object to get a file object located at
	' p_sFolder\psFileName
	' set the appropriate HTTP Content-Type header
	' for PDFs (see www.google.com)
	' do a Response.BinaryWrite FileObject.read()
	' or something along those lines

END SUB


sFolder = "D:\SecuredContent"
sFileName = trim(request.querystring("f"))


' here you will want to do some checking to make sure
' no one has entered  some FunkyShiz(tm) into your 
' f querystring variable in order to gain access to 
' various areas of your server that you don't mean to
' give them access to. Shoot me an email offlist if you 
' have questions about this part...

if sFileName="" then
	call ListFiles(sFolder)

else
	call ShowFile(sFileName, sFolder)
end if


' and then end the script with this (because you can):


' foo
%>


HTH a bit. And don't let this stop you from thinking this out on your own,
because I just ran though this quickly. You could surely improve upon this
and make it your own.




Thanks,

--
mattwarden
mattwarden.com

More information about the thelist mailing list