安全实施,允许用户上传Excel文档

时间:2021-10-28 05:04:45

I currently have a website (ASP.NET 3.5, IIS 7.0) that allows users to upload Excel files for processing.

我目前有一个网站(ASP.NET 3.5,IIS 7.0),允许用户上传Excel文件进​​行处理。

Should I be concerned with viruses and malicious code being executed when the document is opened?

我是否应该关注文档打开时执行的病毒和恶意代码?

We are currently using the .NET Office.Interop assemblies to fetch the information from the document. The information isn't exactly tabular and requires a little bit of interrogation to get it into the required format.

我们目前正在使用.NET Office.Interop程序集从文档中获取信息。这些信息并不完全是表格式的,需要进行一些询问才​​能使其达到所需的格式。

Once the document has been uploaded it will be stored in the database, only when the document is inspected is it written to disk.

文档上传后,它将存储在数据库中,只有在检查文档时才将其写入磁盘。

Are there any recommendations that would provide a secure implementation?

是否有任何可以提供安全实施的建议?

2 个解决方案

#1


2  

Using the xlsx (Open XML) file format will be safer than using xls or xlsm since xlsx workbooks cannot contain macros.

使用xlsx(Open XML)文件格式比使用xls或xlsm更安全,因为xlsx工作簿不能包含宏。

You might consider using a pure .NET component which does not use COM Interop or any native calls and does not require FullTrust. SpreadsheetGear for .NET is an example of such a component.

您可以考虑使用纯.NET组件,该组件不使用COM Interop或任何本机调用,也不需要FullTrust。 SpreadsheetGear for .NET就是这样一个组件的一个例子。

Disclaimer: I own SpreadsheetGear LLC

免责声明:我拥有SpreadsheetGear LLC

#2


0  

Sanitizing is the only way to be sure. Since it's not simply form input, you want to take extra precautions. The simplest method I can imagine is to nuke any binary-indicators, like control-characters.

消毒是唯一可靠的方法。由于它不仅仅是表单输入,因此您需要采取额外的预防措施。我能想象到的最简单的方法是核对任何二进制指示符,比如控制字符。

As far as best practices, you can't really tell your users "Please don't hack me", so you have to have a certain level of trust (or give up on Excel files)... I would say if the first pass picks up any binary flags, incinerate it and throw a fairly obtuse error like "error in file format", etc.

至于最佳做法,你不能真正告诉你的用户“请不要破解我”,所以你必须有一定程度的信任(或放弃Excel文件)...我会说如果第一个pass拾取任何二进制标志,焚烧它并抛出一个相当钝的错误,如“文件格式错误”等。

But of course, your users will murder you they ever get that error for a good file.

但是,当然,你的用户会谋杀你,他们会得到一个好文件的错误。

#1


2  

Using the xlsx (Open XML) file format will be safer than using xls or xlsm since xlsx workbooks cannot contain macros.

使用xlsx(Open XML)文件格式比使用xls或xlsm更安全,因为xlsx工作簿不能包含宏。

You might consider using a pure .NET component which does not use COM Interop or any native calls and does not require FullTrust. SpreadsheetGear for .NET is an example of such a component.

您可以考虑使用纯.NET组件,该组件不使用COM Interop或任何本机调用,也不需要FullTrust。 SpreadsheetGear for .NET就是这样一个组件的一个例子。

Disclaimer: I own SpreadsheetGear LLC

免责声明:我拥有SpreadsheetGear LLC

#2


0  

Sanitizing is the only way to be sure. Since it's not simply form input, you want to take extra precautions. The simplest method I can imagine is to nuke any binary-indicators, like control-characters.

消毒是唯一可靠的方法。由于它不仅仅是表单输入,因此您需要采取额外的预防措施。我能想象到的最简单的方法是核对任何二进制指示符,比如控制字符。

As far as best practices, you can't really tell your users "Please don't hack me", so you have to have a certain level of trust (or give up on Excel files)... I would say if the first pass picks up any binary flags, incinerate it and throw a fairly obtuse error like "error in file format", etc.

至于最佳做法,你不能真正告诉你的用户“请不要破解我”,所以你必须有一定程度的信任(或放弃Excel文件)...我会说如果第一个pass拾取任何二进制标志,焚烧它并抛出一个相当钝的错误,如“文件格式错误”等。

But of course, your users will murder you they ever get that error for a good file.

但是,当然,你的用户会谋杀你,他们会得到一个好文件的错误。