ok, I will try to solve it :) So There is the nice Server method Server.MapPath, which give you current working directory. So path is then current_dir\dirname Are you scared that someone can use it to get out of server directory and list your local folders? Well, ok, Directory Travelsal (that is the name of the exploit), is really very well known and I don't think that .NET would allow you to do this. If you don't trust me, just try it yourself or instead of MapPath use your constant.
2009/7/1 nag <[email protected]> > > hii > im listing files from directory..here is my code > i feel its nt a secure code > Is anyone knw secure code please let me knw > > void Page_Load(object sender, EventArgs e) > { > string dirname = Session["projectid"].ToString(); > > string Path = Server.MapPath(".") + "\\" + dirname; > > DirectoryInfo dirInfo = new DirectoryInfo(Path); > > articleList.DataSource = dirInfo.GetFiles("*.*"); > articleList.DataBind(); > } > > > > > <asp:DataGrid runat="server" id="articleList" Font-Name="Verdana" > AutoGenerateColumns="False" AlternatingItemStyle- > BackColor="#eeeeee" > HeaderStyle-BackColor="Navy" HeaderStyle-ForeColor="White" > HeaderStyle-Font-Size="15pt" HeaderStyle-Font-Bold="True"> > <Columns> > <asp:HyperLinkColumn DataNavigateUrlField="Name" > DataTextField="Name" > HeaderText="File Name" /> > <asp:BoundColumn DataField="LastWriteTime" HeaderText="Last Write > Time" > ItemStyle-HorizontalAlign="Center" DataFormatString="{0:d}" /> > <asp:BoundColumn DataField="Length" HeaderText="File Size" > ItemStyle-HorizontalAlign="Right" > DataFormatString="{0:#,### bytes}" /> > </Columns> > </asp:DataGrid> > > >
