This article explains how to ensure information about the RadAsyncUpload configuration is secure and non-readable. Its transmission between the client and the server must be encrypted and impossible to decode, so the data cannot be used by a malicious entity in an attack against the server.
Configuration information includes temporary and target folder on the server, and allowed file extensions.
There are two
appSettings keys you should add to your
web.config to ensure information security with file uploads:
set a custom
set a custom
If you do not set any custom keys, default (hardcoded) values are used to encrypt/decrypt the information.
As of R2 2017 SP1, hardcoded keys are not used anymore. Instead, standard .NET methods are used for encryption. Nevertheless, you should still set your own unique custom keys. You can use the IIS MachineKey Validation Key generator to get them (make sure to avoid the ,IsolateApps portion).
Other cryptographic operations in the UI for ASP.NET AJAX suite may also use these two keys. Telerik avoids adding more keys in order to improve backwards compatibility of your applications and to reduce the number of properties you have to set.
As an added security measure, as of R2 2017 SP2, you can disable file uploads for your application via the Telerik.Web.DisableAsyncUploadHandler key web.config switch.
To provide secure encryption of the control configuration, we strongly advise that you set a custom encryption key for Telerik.AsyncUpload.ConfigurationEncryptionKey:
<appSettings> <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" /> </appSettings>
Telerik.AsyncUpload.ConfigurationEncryptionKey is available as of Q3 2012 SP1 (version 2012.3.1205).
As of R1 2017, the Encrypt-then-MAC approach is implemented, in order to improve the integrity of the encrypted temporary and target folders.
The additional Telerik.Upload.ConfigurationHashKey key is used to hash the encrypted text. The value returned from the client is checked in the upload handler for integrity. If the hashing attempt is incorrect, a
new CryptographicException("The hash is not valid!"); exception will be thrown.
<appSettings> <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" /> </appSettings>
Telerik.Web.DisableAsyncUploadHandler key to
true disables the built-in RadAsyncUpload handler that is used for storing files in the temporary folder before they are moved to the target folder. This feature is available as of R2 2017 SP2.
When you set this key to
true, no files can be uploaded to the default handler (
Custom handlers are not affected by this feature and you can still use them to upload and save files with the desired level of security.
<appSettings> <add key="Telerik.Web.DisableAsyncUploadHandler" value="true"/> </appSettings>