Security Considerations
- 2 minutes to read
By default, the ASPxFileManager control keeps thumbnails in the public “~\Thumb" folder where every subfolder corresponds to a file manager folder containing images. A subfolder name is created using an MD5 (Message Digest 5) algorithm based on a source folder’s relative path and thumbnail size (e.g., for a file with the path ~\Content\User1\ MyPhoto.jpg, a thumbnail will be created with the path ~\Thumb\4b4a00930e767e8d70506b9ce2eb123a\MyPhoto.jpg.png.
<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
<Settings RootFolder="~\Content\" ThumbnailFolder="~\Thumb\" />
</dx:ASPxFileManager>
A subfolder is created and populated with thumbnails when they should be displayed for the first time. Before a thumbnail is created, a file manager checks for the existence of a thumbnail with the required path and name, and if found, uses that existent thumbnail.
Important
The described behavior can cause the following issues.
- If one knows a prohibited file’s name and path, he/she can access the file thumbnail by converting the path using an MD5 hash and pasting it to the browser address line.
- If the FileManagerSettings.RootFolder property is changed dynamically (e.g., for different users), the relative paths and file names can coincide for files with different content. In this case, ASPxFileManager does not create a new thumbnail and uses an existing one. So a file can have the wrong thumbnail.
Therefore, if you implement a multi-user application or dynamically change the root folder, you are required to dynamically specify a thumbnail folder (the FileManagerSettings.ThumbnailFolder property) based on the currently logged-in user.
<dx:ASPxComboBox ID="ASPxComboBox1" runat="server" AutoPostBack="True" SelectedIndex="0">
<Items>
<dx:ListEditItem Text="Common" Value="Common files" Selected="True" />
<dx:ListEditItem Text="User 1" Value="User1" />
<dx:ListEditItem Text="User 2" Value="User2" />
<dx:ListEditItem Text="User 3" Value="User3" />
</Items>
</dx:ASPxComboBox>
<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
<Settings RootFolder="~/Content/Common files" ThumbnailFolder="~/Content/Thumbs/Common files" />
</dx:ASPxFileManager>
We also recommend you set restricted access for these thumbnail folders.