Nathanael Jones

Image Resizer 1.0 - Web.config

The image resizer integrates with ASP.NET's URL authorization system quite well. It can't be exploited to access protected files, because it is simply a normal Jpeg/Png/Gif handler. However, we only want the handler to execute for files that actually need resizing - if possible we want control to pass back to IIS6 for performance gains. Since we only want some .jpg requests to go to the handler, we need to do some logic before we assign a handler. In IIS 6 and IIS7 Classic Pipeline mode, we need to drop in a CustomDefaultHandler at the bottom of the httpHandlers list. 
<httpHandlers>
      <clear/>
      <add path="trace.axd" verb="*" type="System.Web.Handlers.TraceHandler" validate="true"/>
      <add path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" validate="true"/>
      <add path="*.axd" verb="*" type="System.Web.HttpNotFoundHandler" validate="true"/>
      <add path="*.aspx" verb="*" type="System.Web.UI.PageHandlerFactory" validate="true"/>
      <add path="*.ashx" verb="*" type="System.Web.UI.SimpleHandlerFactory" validate="true"/>
      <add path="*.asmx" verb="*" type="System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="false"/>
      <add path="*.rem" verb="*" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
      <add path="*.soap" verb="*" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
     <add path="*.svc" verb="*" type="System.ServiceModel.Activation.HttpHandler, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>

<!-- These are forbidden extensions. I've added a lot here, such as .swp, .sln, .suo, .bak, and .db -->

<add path="*.asax" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.master" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.skin" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.browser" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.sitemap" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.dll.config" verb="GET,HEAD" type="System.Web.StaticFileHandler" validate="true"/>
      <add path="*.exe.config" verb="GET,HEAD" type="System.Web.StaticFileHandler" validate="true"/>
      <add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.cs" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.csproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.vb" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.vbproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.webinfo" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.licx" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.resx" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.resources" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.vjsproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.java" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.jsl" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.ad" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.dd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.ldd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.sd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.cd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.adprototype" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.lddprototype" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.sdm" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.sdmDocument" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.exclude" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.refresh" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.db" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
      <add path="*.bak" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
		<add path="*.swp" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
		<add path="*.sln" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
		<add path="*.suo" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>

		<add path="robots.txt" verb="*" type="System.Web.StaticFileHandler" validate="true"/>
<!-- I've also added .txt to prevent my todo files and readme files from being accessible. If you want to serve .txt files, remove this line -->
		<add path="*.txt" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>

      <add path="*" verb="GET,HEAD,POST" type="fbs.Handlers.CustomDefaultHandler" validate="true"/>
      <add path="*" verb="*" type="System.Web.HttpMethodNotAllowedHandler" validate="true"/>
    </httpHandlers>

Published on

About Nathanael

Nathanael Jones is a software engineer, father, consultant, and computer linguist with unreasonably high expectations of inanimate objects. He refines .NET, ruby, and javascript libraries full-time at Imazen, but can often be found on stack overflow or participating in W3C community groups.

ImageResizer

If you develop websites, and those websites have images, ImageResizer can make your life much eaiser. Find out more at imageresizing.net.

Imazen

I run Imazen, a tiny software company that specializes in web-based image processing and other difficult engineering problems. I spend most of my time writing image-processing code in C#, web apps in Ruby, and documentation in Markdown. Check out some of my current projects.

More articles