Issue/Solution with search, fear on htmleditor/uploader

Topics: Developer Forum
Dec 13, 2006 at 6:21 AM

I had problems searching for "Öl", there were only results on searching for "ö
Dec 13, 2006 at 6:23 AM
I meant I only found results by searching for "öl" instead of searching for the two simple chars Öl.
Dec 13, 2006 at 2:59 PM

Thanks for the feedback. I will transform this into an issue.
And I am actually very sensitive on the term ‘security issue’. But I don’t see an immediate thread. What is the risk you are thinking of?

The images are stored in a subfolder of AppData. ASP.NET 2.0 disables all direct access to any data in AppData. The only way to read/write data in App_Data is through a page, which is running in the context of the ASPNET Worker thread (NETWORK SERVICE on Windows 2003 Server). Therefore you can only access the images through the special handler (ImageHandler.ashx) and/or through the FCK Edit control.

Dec 13, 2006 at 3:00 PM
This discussion has been copied to Work Item 6468. You may wish to continue further discussion there.
Dec 15, 2006 at 7:56 AM

I thought again about the 'security issue' thing relate to the pictures in a page. And there is the following scenario:

1. I create a page without read access for anonymous users
2. I insert a HTML control to the new page
3. I upload a picture to the server using the FCK edit control
4. I insert the picture into my HTML part and save it
5. I copy the URL of the picture (properties) to the clipboard
6. I logout
7. I can't access the page anymore
8. I paste the URL of the picture into the address field
9. -> I can see the picture even if I am not authenticated.

This might be seen as a security issue. But actually it is somehow a behaviour, which is given by the nature of how the FCK edit control manages its pictures. All images in the store can be reused on all pages. Therefore there are different access rights in place - all pictures in the folder are open for reading by anonymous users.