I'm seeing that while uploading the file, RadAsyncUpload is also sending set of additional information as part of the payload (form-data fields) like "rauPostData", "fileName", "contentType", and others data pieces (see attachment).
I'm thinking whether it is possible to add additional custom fields to the payload mainly the CSRF token which will help me evaluate the authenticity of the file upload before it gets processed on the server.
I'm doing all CSRF validation through HttpModule and hence I cannot use Custom RadAsyncUpload Handler which for me is not a viable solution as the module will not let the request reach till this point.
Is there any degree of customization which can help me through this? Any help will be truly appreciated.
Thanks,
Gururaj
5 Answers, 1 is accepted
There is not such inbuilt functionality in RadAsyncUpload without implementing a custom handler.
One possible way to achieve similar behavior is to use a approach from this demo where additional field is added to the uploaded file.
Regards,
Plamen
Telerik by Progress
Thanks Plamen for you response and suggestion.
I'm afraid that's not a viable option for me as it leads to a security concern where the user (in worst case scenario the attacker) can upload a file without going through CSRF verification (though it is going to copy the file in a temporary file unless the submit button is clicked).
This possible approach you're suggesting violates the whole purpose of me having CSRF verification.
Thanks,
Gururaj
In such case the only possible solution will be to use a custom handler.
Regards,
Plamen
Telerik by Progress
The architecture of the product involves doing CSRF verification before any requests gets processed. And in case of Custom Handler it is something which has to be done only when after the file has been uploaded and that also means a bespoke implementation due a limitation in the software.
Thanks for your help.
Custom handler solution gives free customization of the file uploading where you are able to override the Process method and perform your logic before the file is processed - it provides possibility to use the layout of RadAsyncUpload and use custom logic for the upload of the files as you would do with any other upload component.
Hope this information will be helpful.
Regards,
Plamen
Telerik by Progress