Hello All,
We have an classic asp application that has the below code to open up files.
Dim Connection
If fn_gblnCreateConnection(Connection) = false Then
Response.Redirect("../../Global/error.asp")
End if
Set RS = Connection.Execute(SQLStmt)
if RS.EOF then
fileName = default_filename
else
fileName = rtrim(ltrim(RS("content_file")))
end if
strTextFile = strFolder & fileName
'-- Create and Open File System Object
set fso = CreateObject("Scripting.FileSystemObject")
set bodyFile = fso.OpenTextFile(strTextFile)
strBodyText = bodyFile.readAll
Select Case Err.number
Case 0 'Do Nothing
Case Else
Response.Redirect(error_url)
End Select
strBodyTest = ucase(strBodyText)
if instr(strBodyTest,"<BODY") then
strBodyText = mid(strBodyText,instr(strBodyTest,"<BODY")+1,len(strBodyTest)-instr(strBodyTest,"<BODY"))
strBodyText = mid(strBodyText,instr(strBodyText,">")+1,len(strBodyText)-instr(strBodyTest,">"))
end if
if instr(strBodyTest,"</BODY") then
strBodyTest = ucase(strBodyText)
strBodyText = mid(strBodyText,1,instr(strBodyTest,"</BODY")-1)
end if
%>
We recently were asked to change the functionality to open files as there is a risk for attack. How do I change the code to make sure to prevent attacks