06-23-2023, 04:46 AM
(This post was last modified: 06-23-2023, 04:47 AM by Alexandre Machado.)
I believe they flagged it because you are using the wwwroot folder as a temporary repository of files. In that case, I agree with the assessment. wwwroot folder is not a safe folder for storing temporary files. Anyone knowing the file name can download the file depending on the MIME type (e.g. PDF, zip, etc can be downloaded without any security check). So in theory, a person in SessionA can guess and download a file that belongs to SessionB.
You should move the uploaded files to a different directory (not a subdirectory of wwwroot) and possibly also the downloaded files. In case of file downloads you can use the IntraWeb cache feature to make them available only to the session that needs it.
You should move the uploaded files to a different directory (not a subdirectory of wwwroot) and possibly also the downloaded files. In case of file downloads you can use the IntraWeb cache feature to make them available only to the session that needs it.