RadAsyncUpload and Custom-body-field

6 posts, 0 answers
  1. Gururaj
    Gururaj avatar
    3 posts
    Member since:
    Sep 2016

    Posted 19 Sep 2016 Link to this post

    I'm seeing that while uploading the file, RadAsyncUpload is also sending set of additional information as part of the payload (form-data fields) like "rauPostData", "fileName", "contentType", and others data pieces (see attachment).

    I'm thinking whether it is possible to add additional custom fields to the payload mainly the CSRF token which will help me evaluate the authenticity of the file upload before it gets processed on the server.

    I'm doing all CSRF validation through HttpModule and hence I cannot use Custom RadAsyncUpload Handler which for me is not a viable solution as the module will not let the request reach till this point.

    Is there any degree of customization which can help me through this? Any help will be truly appreciated.

    Thanks,
    Gururaj

  2.
  3. Plamen
    Admin
    Plamen avatar
    3031 posts

    Posted 22 Sep 2016 Link to this post

    Hi,

    There is not such inbuilt functionality in RadAsyncUpload without implementing a custom handler.

    One possible way to achieve similar behavior is to use a approach from this demo where additional field is added to the uploaded file.

    Regards,
    Plamen
    Telerik by Progress
    Do you need help with upgrading your ASP.NET AJAX, WPF or WinForms projects? Check the Telerik API Analyzer and share your thoughts.
  5. Gururaj
    Gururaj avatar
    3 posts
    Member since:
    Sep 2016

    Posted 22 Sep 2016 in reply to Plamen Link to this post

    Thanks Plamen for you response and suggestion.

    I'm afraid that's not a viable option for me as it leads to a security concern where the user (in worst case scenario the attacker) can upload a file without going through CSRF verification (though it is going to copy the file in a temporary file unless the submit button is clicked).

    This possible approach you're suggesting violates the whole purpose of me having CSRF verification.

    Thanks,
    Gururaj

  7. Plamen
    Admin
    Plamen avatar
    3031 posts

    Posted 22 Sep 2016 Link to this post

    Hello,

    In such case the only possible solution will be to use a custom handler.

    Regards,
    Plamen
    Telerik by Progress
    Do you need help with upgrading your ASP.NET AJAX, WPF or WinForms projects? Check the Telerik API Analyzer and share your thoughts.
  9. Gururaj
    Gururaj avatar
    3 posts
    Member since:
    Sep 2016

    Posted 26 Sep 2016 in reply to Plamen Link to this post

    The architecture of the product involves doing CSRF verification before any requests gets processed. And in case of Custom Handler it is something which has to be done only when after the file has been uploaded and that also means a bespoke implementation due a limitation in the software.

    Thanks for your help.

  11. Plamen
    Admin
    Plamen avatar
    3031 posts

    Posted 27 Sep 2016 Link to this post

    Hi,

    Custom handler solution gives free customization of the file uploading where you are able to override the Process method and perform your logic before the file is processed - it provides possibility to use the layout of RadAsyncUpload and use custom logic for the upload of the files as you would do with any other upload component.

    Hope this information will be helpful.

    Regards,
    Plamen
    Telerik by Progress
    Do you need help with upgrading your ASP.NET AJAX, WPF or WinForms projects? Check the Telerik API Analyzer and share your thoughts.
Back to Top