Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 379
  • Last Modified:

Does using response.redirect to download files reveal download location?

Hi,

I am developing an ASP app that downloads files from a hidden folder.  I was wondering if just using the command response.redirect (folder/filename) would be sufficient enough to prevent the download folder location from being revealed in the browser?

I have tested this on my server and so far it seems to work fine (i.e. the file downloads with no reference to its folder location) but does anyone know if this is 100% compatible with all browsers or whether there is a way a user could 'force reveal' the download path?

I did originally use ADODB.Stream to deliver the file but I understand there are memory limitations on downloading binary files in this way which is not suitable for my app.  I hope you can help!
0
alphabeata
Asked:
alphabeata
  • 4
  • 3
  • 3
  • +1
1 Solution
 
ap_sajithCommented:
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 
ap_sajithCommented:
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 
alphabeataAuthor Commented:
The ADODB.Stream and FSO method is what I am currently using and it works well but I do not want to place any restrictions on the file download size.  I understand that the buffer stream is limited server side so any file download request over that limit would fail.

I know that if you do a response.redirect to a music file it starts playing in your default player (e.g Windows Media Player) and it is possible to view the download location via the information that the player contains.  However I have tried it with Zip files and I cannot see any reference to the true file location.

I will try to stop a download of a large file halfway through and see if it reveals the download location.  I'll post my results here.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
alphabeataAuthor Commented:
OK, I tried using the ADODB.Stream and FSO method on a binary file over 30MB in size and it completely froze on me so that's out of the question (and I'm on a T1 connection!).  Using the 'response.redirect' method creates a much more stable download easily capable of handling large binary files.  I tried to stop the download by cancelling it from the dialog box and it still didn't reveal the download folder location.

So back to my original question - does anybody know whether a user can determine the download path from a response.redirect (folder/filename)?
0
 
ap_sajithCommented:
There are no issues with redirect method i suppose..

Cheers!!
0
 
GaryCommented:
Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.
0
 
Göran AnderssonCommented:
Certainly a user can determine the location of the file.

I think that this will show the address: Copy the URL of the original link, and paste that in a browser window. The server runs the page and returns the new address to the browser. The address of the "hidden" folder should be visible in the address field.

How do you use the ADODB.Stream to read the file? Do you read the entire file into a variable before writing it to the response stream? That would most certainly kill the server if the file size is larger than the free memory on the server...
0
 
Göran AnderssonCommented:
> Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.

To use Response.Redirect, the file has to be accessible through a browser.
0
 
alphabeataAuthor Commented:
Sorry, by hidden I mean not known to the user and not published as a link on the website.  I want it to remain a secret.  The folders attribute is not set to 'hidden'.

I have copied and pasted the URL of the original link into a browser window (which calls an ASP page with encrypted variables in the querystring to determine the file location) and using response.redirect the folder/file location is not revealed in the browser but immediately opens up a file download dialog box prompting the user to open or save the file.

This is fine as it is the desired result I am looking for, however I need to know if a user could bypass this or in any way reveal the full download URL?

0
 
Göran AnderssonCommented:
As the redirected URL is sent to the browser, it's certainly possible to reveal it.

For an example, there are download managers that takes over the downloads from the browser. The browser sends the URL to the download manager to do the download. I bet some of the download managers reveal the full URL of the file. Also, you could make a fake download manager, that only recieves the URL from the browser and displays it.

That was one example. I bet there are even easier ways of doing it...

Doesn't some browsers show the URL in the download status window even? If you pull the network cable during the download, doesn't the error message reveal the URL?
0
 
alphabeataAuthor Commented:
Aaah.. of course!  So obvious as well!  Thanks GreenGhost, the download managers would be the culprits.  You get the points.  Thanks for all your help.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now