Today I want show you some trick that I learned by investigating some problem some time ago.
For example, you want to include some content (.js, .css, .jpg etc) to your website from folder /Views.
The reasons for this scenario could be different. Maybe such architecture, maybe customers wants this.
It does not matter. In this case we have some problem.
E.g. we want to include style sheet from /Views folder:
So all requests that starts from /Views will be redirected to HttpNotFoundHandler handler and we will see appropriate error.
If we remove this string then we can access to our content. But potential attacker can open direct link to our view-files, e.g: http://localhost/Views/Home/Index.aspx
So we can protect from displaying only this files (.aspx and .cshtml)
To do this we should configure web.config file in folder /Views:
Participant
1712 Points
389 Posts
ASP.NET MVC - Using content in /Views folder
Jun 12, 2011 05:52 PM|Anton Palyok|LINK
Hello community,
Today I want show you some trick that I learned by investigating some problem some time ago.
For example, you want to include some content (.js, .css, .jpg etc) to your website from folder /Views.
The reasons for this scenario could be different. Maybe such architecture, maybe customers wants this.
It does not matter. In this case we have some problem.
E.g. we want to include style sheet from /Views folder:
When we open this in browser we will get an error 404 (Not Found).
The reason for this behavior lies in web.config file in the folder /Views
If we open this file we can noticed next string:
So all requests that starts from /Views will be redirected to HttpNotFoundHandler handler and we will see appropriate error.
If we remove this string then we can access to our content.
But potential attacker can open direct link to our view-files, e.g: http://localhost/Views/Home/Index.aspx
So we can protect from displaying only this files (.aspx and .cshtml)
To do this we should configure web.config file in folder /Views:
<system.web> <httpHandlers> <add path="*.cshtml" verb="*" type="System.Web.HttpNotFoundHandler" /> <add path="*.aspx" verb="*" type="System.Web.HttpNotFoundHandler" /> </httpHandlers> </system.web> <system.webServer> <handlers> <add name="DontShowCsHtml" path="*.cshtml" verb="*" type="System.Web.HttpNotFoundHandler" /> <add name="DontShwAspx" path="*.aspx" verb="*" type="System.Web.HttpNotFoundHandler" /> </handlers> </system.webServer>And now our views are protected from displaying and we can access to necessary content in folder /Views.
Hope this will help someone quickly deal with similar problem, while others could learn for yourself something new.