I'm trying to create an asp.net solution where users can upload a file to my web server. I then detect the upload using a filewatcher on another machine that watched the network path. This other machine, the app server, works on the file and produces an output file that gets dropped back on the web server and the user is free to download the results.
I have this up and running in my development environment and it works well. My problem is that I have spoken to several folks in the IT sector that have told me that no sane organization would ever allow me to deploy an application like this. They claim that there are too many security implications involved in file upload.
I know from my end as a developer I can't limit the kinds of files that get uploaded. I can detect the file extension after it has been uploaded but the extension is not a true indicator of the file (i change extensions all the time to pass files through email filters). So I don't have a whole lot of control over what gets uploaded.
What we do have is a secure environment with ssl, win authorization and authentication and logging. So we SHOULD have good users doing good things and we will know if this is not the case. But I think IT folks tend to look at things differently. The way they see it they expect the worse out of folks and plan for it. But even if a user were to upload a malicious file, how would they execute it and what would it do?
Am I being foolish to think that I can deploy this application?
I have this up and running in my development environment and it works well. My problem is that I have spoken to several folks in the IT sector that have told me that no sane organization would ever allow me to deploy an application like this. They claim that there are too many security implications involved in file upload.
I know from my end as a developer I can't limit the kinds of files that get uploaded. I can detect the file extension after it has been uploaded but the extension is not a true indicator of the file (i change extensions all the time to pass files through email filters). So I don't have a whole lot of control over what gets uploaded.
What we do have is a secure environment with ssl, win authorization and authentication and logging. So we SHOULD have good users doing good things and we will know if this is not the case. But I think IT folks tend to look at things differently. The way they see it they expect the worse out of folks and plan for it. But even if a user were to upload a malicious file, how would they execute it and what would it do?
Am I being foolish to think that I can deploy this application?