Solved

Does using response.redirect to download files reveal download location?

Posted on 2003-10-22
11
362 Views
Last Modified: 2012-08-13
Hi,

I am developing an ASP app that downloads files from a hidden folder.  I was wondering if just using the command response.redirect (folder/filename) would be sufficient enough to prevent the download folder location from being revealed in the browser?

I have tested this on my server and so far it seems to work fine (i.e. the file downloads with no reference to its folder location) but does anyone know if this is 100% compatible with all browsers or whether there is a way a user could 'force reveal' the download path?

I did originally use ADODB.Stream to deliver the file but I understand there are memory limitations on downloading binary files in this way which is not suitable for my app.  I hope you can help!
0
Comment
Question by:alphabeata
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9597421
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9597471
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 

Author Comment

by:alphabeata
ID: 9597668
The ADODB.Stream and FSO method is what I am currently using and it works well but I do not want to place any restrictions on the file download size.  I understand that the buffer stream is limited server side so any file download request over that limit would fail.

I know that if you do a response.redirect to a music file it starts playing in your default player (e.g Windows Media Player) and it is possible to view the download location via the information that the player contains.  However I have tried it with Zip files and I cannot see any reference to the true file location.

I will try to stop a download of a large file halfway through and see if it reveals the download location.  I'll post my results here.
0
 

Author Comment

by:alphabeata
ID: 9597896
OK, I tried using the ADODB.Stream and FSO method on a binary file over 30MB in size and it completely froze on me so that's out of the question (and I'm on a T1 connection!).  Using the 'response.redirect' method creates a much more stable download easily capable of handling large binary files.  I tried to stop the download by cancelling it from the dialog box and it still didn't reveal the download folder location.

So back to my original question - does anybody know whether a user can determine the download path from a response.redirect (folder/filename)?
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9598077
There are no issues with redirect method i suppose..

Cheers!!
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 58

Expert Comment

by:Gary
ID: 9598217
Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 9598740
Certainly a user can determine the location of the file.

I think that this will show the address: Copy the URL of the original link, and paste that in a browser window. The server runs the page and returns the new address to the browser. The address of the "hidden" folder should be visible in the address field.

How do you use the ADODB.Stream to read the file? Do you read the entire file into a variable before writing it to the response stream? That would most certainly kill the server if the file size is larger than the free memory on the server...
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 9598752
> Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.

To use Response.Redirect, the file has to be accessible through a browser.
0
 

Author Comment

by:alphabeata
ID: 9599181
Sorry, by hidden I mean not known to the user and not published as a link on the website.  I want it to remain a secret.  The folders attribute is not set to 'hidden'.

I have copied and pasted the URL of the original link into a browser window (which calls an ASP page with encrypted variables in the querystring to determine the file location) and using response.redirect the folder/file location is not revealed in the browser but immediately opens up a file download dialog box prompting the user to open or save the file.

This is fine as it is the desired result I am looking for, however I need to know if a user could bypass this or in any way reveal the full download URL?

0
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 125 total points
ID: 9602405
As the redirected URL is sent to the browser, it's certainly possible to reveal it.

For an example, there are download managers that takes over the downloads from the browser. The browser sends the URL to the download manager to do the download. I bet some of the download managers reveal the full URL of the file. Also, you could make a fake download manager, that only recieves the URL from the browser and displays it.

That was one example. I bet there are even easier ways of doing it...

Doesn't some browsers show the URL in the download status window even? If you pull the network cable during the download, doesn't the error message reveal the URL?
0
 

Author Comment

by:alphabeata
ID: 9604879
Aaah.. of course!  So obvious as well!  Thanks GreenGhost, the download managers would be the culprits.  You get the points.  Thanks for all your help.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now