Security Considerations

  • 2 minutes to read

By default, the ASPxFileManager control keeps thumbnails in the public "~\Thumb" folder where every subfolder corresponds to a file manager folder containing images. A subfolder name is created using an MD5 (Message Digest 5) algorithm based on a source folder's relative path and thumbnail size (e.g., for a file with the path ~\Content\User1\ MyPhoto.jpg, a thumbnail will be created with the path ~\Thumb\4b4a00930e767e8d70506b9ce2eb123a\MyPhoto.jpg.png.

<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
     <Settings RootFolder="~\Content\" ThumbnailFolder="~\Thumb\" />
</dx:ASPxFileManager>

FileManager_ThumbnailsSecurity

A subfolder is created and populated with thumbnails when they should be displayed for the first time. Before a thumbnail is created, a file manager checks for the existence of a thumbnail with the required path and name, and if found, uses that existent thumbnail.

IMPORTANT

The described behavior can cause the following issues.

  • If one knows a prohibited file's name and path, he/she can access the file thumbnail by converting the path using an MD5 hash and pasting it to the browser address line.
  • If the FileManagerSettings.RootFolder property is changed dynamically (e.g., for different users), the relative paths and file names can coincide for files with different content. In this case, ASPxFileManager does not create a new thumbnail and uses an existing one. So a file can have the wrong thumbnail.

Therefore, if you implement a multi-user application or dynamically change the root folder, you are required to dynamically specify a thumbnail folder (the FileManagerSettings.ThumbnailFolder property) based on the currently logged-in user.

<dx:ASPxComboBox ID="ASPxComboBox1" runat="server" AutoPostBack="True" SelectedIndex="0">
     <Items>
          <dx:ListEditItem Text="Common" Value="Common files" Selected="True" />
          <dx:ListEditItem Text="User 1" Value="User1" />
          <dx:ListEditItem Text="User 2" Value="User2" />
          <dx:ListEditItem Text="User 3" Value="User3" />
     </Items>
</dx:ASPxComboBox>
<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
     <Settings RootFolder="~/Content/Common files" ThumbnailFolder="~/Content/Thumbs/Common files" />
</dx:ASPxFileManager>

We also recommend you set restricted access for these thumbnail folders.

See Also