BlogEngine 2.5 file.axd Access Restrictions

Topics: ASP.NET 2.0
May 14, 2012 at 9:39 AM

I have managed to restrict access to my blog by using SqlMembershipProvider and SqlRoleProvider. However all the files and images that I post within my membership access only blog have the url http://www.itradepod.com/Blog/file.axd?file=[filename].pdf and members are able to share these links with non members who should not be able to access those files but they can and this a major security loop hole. I have tried to remove all of the rights of the Anonymous role in the Admin area but the rights always return to default after saving.  Any help would be much appreciated. Thanks.

Coordinator
May 14, 2012 at 10:52 AM

The way the rights are setup is if you uncheck all the Rights for a role, it reverts back to a default set of rights for that role.  Yes, it's a little strange and unexpected.  So if you can leave at least 1 Right checked, then this won't happen.  It can be an unimportant right that you leave checked such as "Edit Own User".

I don't believe a Right exists to protect content served via the file/image handlers (file.axd and image.axd).  So the Rights system probably won't help you.

What you could do is create an Extension that subscribes to the ImageHandler.Serving and FileHandler.Serving events, and then when the event fires, you can check to see if the person is authorized (i.e. are they logged in, etc), and if not, issue a 403 HTTP response for example ... denying them the content.  Here's an example of an Extension I wrote before that does something like this for the ImageHandler, and the same thing can be done for the FileHandler.

http://blogengine.codeplex.com/discussions/236846

This extension was issuing a 403 if the referrer is missing or a different host.  Your version of this extension would not do that, but would instead check to see if the person is authentication (i.e. logged in), or whatever method you have for checking to see if the person is a member.

May 17, 2012 at 3:55 PM

Thanks BenAmanda for such a speed reply. I'll give your suggestion a try and let you know how it works out. Thanks again.