I forgot to mention that there are also special directories in ASP.NET that generally cannot be browsed, e.g. App_Data and App_Code (there are more). App_Data seems to be the “designated” directory to put files that should under no circumstances be downloadable (e.g. file deployed SQL server databases).
Yesterday I showed the HttpForbiddenHandler which will emit a HTTP 403 – this leaks information, namely that the file exists but the client is not authorized to view it, better would be to generate a generic 404 (not found) status code.
Here – they suggest to use the HttpNotFoundHandler. Unfortunately this handler is internal and cannot be used by your code (at least on RC1). It is easy to write your own handler to accomplish the same task.
public class NotFoundHandler : IHttpHandler
{
public bool IsReusable
{
get { return true; }
}
public void ProcessRequest(HttpContext context)
{
throw new HttpException(404, context.Request.Path + ” not found”);
}
}
Put that e.g. in App_Code and add the following to web.config:
<httpHandlers>
<add path=“*.xml“ verb=“*“ type=“NotFoundHandler, App_Code“ validate=“True“ />
</httpHandlers>
When you now try to browse a .xml file, you will get a nice generic “the resource cannot be found”.
UPDATE: HttpNotFoundHandler is internal and cannot be used from end-user code, nevetheless it can be used in config. So i was wrong.
leastprivilege.com 