Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional security considerations for the input file component #33850

Open
javiercn opened this issue Oct 15, 2024 · 2 comments · May be fixed by #33693
Open

Additional security considerations for the input file component #33850

javiercn opened this issue Oct 15, 2024 · 2 comments · May be fixed by #33693
Assignees
@guardrex
Labels
aspnet-core/svc blazor/subsvc Blazor Pri1 High priority, do before Pri2 and Pri3

Comments

@javiercn
Copy link
Member

javiercn commented Oct 15, 2024
edited by dotnetrepoman bot
Loading

Description

Include a section about security considerations in for https://learn.microsoft.com/en-us/aspnet/core/blazor/file-uploads?view=aspnetcore-8.0#file-size-read-and-upload-limits

In addition to the section mentioned in the article above about limits, we should add a Security Considerations section to cover https://learn.microsoft.com/en-us/aspnet/core/mvc/models/file-uploads?view=aspnetcore-8.0#file-name-security and to explicitly call out avoiding the usage of the Size property in the IBrowserFile instance to impose a limit on the file size. (In other words, no file.OpenReadStream(file.Size))

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/file-uploads?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/file-uploads.md

Document ID

c11d981c-05af-c19d-a333-feedd5978639

Article author

@guardrex

Related Issues
@javiercn javiercn added ⌚ Not Triaged Source - Docs.ms Docs Customer feedback via GitHub Issue labels Oct 15, 2024
@github-actions GitHub Actions
Copy link
Contributor

🍂🎃🏮 Autumn Skies and Pumpkin Pies! 🥧☕🍂

Stand by! A green dinosaur 🦖 will arrive shortly to assist.

@guardrex guardrex added Pri1 High priority, do before Pri2 and Pri3 and removed Source - Docs.ms Docs Customer feedback via GitHub Issue labels Oct 15, 2024
@guardrex guardrex linked a pull request Oct 16, 2024 that will close this issue
Open
@guardrex
Copy link
Collaborator

guardrex commented Oct 16, 2024
edited
Loading

I'm adding this to the existing File Uploads article PR.

That PR should be merged fairly soon. I'm just waiting to hear back how it should address request streaming for non-Chromium browsers.

AND BTW ... I mention that we never showed how to use HTTP Ranges for large file uploads. We say to do it, but we provide no example. It's relevant for two scenarios now ...

  • Prior to request streaming/9.0, we should show it because it's the recommendation. The Web doesn't seem to have good examples for HTTP Ranges custom code.
  • For request streaming/9.0, we need it for the failover when the client is a non-Chromium browser.

This is all discussed in the PR's opening remarks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guardrex guardrex

Labels
aspnet-core/svc blazor/subsvc Blazor Pri1 High priority, do before Pri2 and Pri3
Projects
Blazor.Docs
Status: In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Request Streaming upload dotnet/AspNetCore.Docs
2 participants
@guardrex @javiercn