Skip to main content

Security Considerations

  • 2 minutes to read

The ASPxFileManager control stores thumbnails in the public “~\Thumb" folder (the default setting) where every subfolder corresponds to a file manager folder that contains images. The subfolder name is created with an MD5 (Message Digest 5) algorithm based on the source folder’s relative path and thumbnail size (for example, for a file with the path ~\Content\User1\ MyPhoto.jpg, a thumbnail will be created with the path ~\Thumb\4b4a00930e767e8d70506b9ce2eb123a\MyPhoto.jpg.png.

<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
     <Settings RootFolder="~\Content\" ThumbnailFolder="~\Thumb\" />


The file manager creates a subfolder and populates it with thumbnails when they are displayed for the first time. Before a thumbnail is created, the file manager checks for an existing thumbnail with the required path and name, and if found, uses that thumbnail instead.


The behavior described above can cause the following issues:

  • If a prohibited file’s name and path are known, users should convert the path to MD5 hash and paste it to the browser address line to access the file thumbnail.
  • If the FileManagerSettings.RootFolder property is changed dynamically (for example, for different users), multiple thumbnail images can have the same relative path and file name. In this case, ASPxFileManager does not create a new thumbnail and uses an existing one, which prevents the use of incorrect thumbnails.

Therefore, if you implement a multi-user application or dynamically change the root folder, you must specify a thumbnail folder in code (the FileManagerSettings.ThumbnailFolder property) based on the current user.

<dx:ASPxComboBox ID="ASPxComboBox1" runat="server" AutoPostBack="True" SelectedIndex="0">
          <dx:ListEditItem Text="Common" Value="Common files" Selected="True" />
          <dx:ListEditItem Text="User 1" Value="User1" />
          <dx:ListEditItem Text="User 2" Value="User2" />
          <dx:ListEditItem Text="User 3" Value="User3" />
<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
     <Settings RootFolder="~/Content/Common files" ThumbnailFolder="~/Content/Thumbs/Common files" />

We also recommend that you restrict access to each user’s thumbnail folder.

See Also