Server.MapPath() works differently on IIS 6.0 compared to IIS 5.0

Elie Grouchko wrote on 01 jan 2005 in
microsoft.public.inetserver.asp.general:

I am calling Server.MapPath(), the parameter is a virtual path that
includes a reference to a parent path ("Root/Files/../Config/").
'Config' is a

Server.MapPath("Root/Files/../Config/")

Try:

Server.MapPath("/Root/Files/../Config/")

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

On Sat, 1 Jan 2005 19:02:44 +0200, "Elie Grouchko"
<eg*******@hotmail.com> wrote:

Hi

I am running exactly the same ASP code on IIS 5.0 and IIS 6.0

I am calling Server.MapPath(), the parameter is a virtual path that includes
a reference to a parent path ("Root/Files/../Config/"). 'Config' is a
virtual directory under 'Root' which is also a virtual directory. 'Files' is
a normal folder.

Under IIS 5.0, the path is correctly mapped to the local path of the
'Config' virtual directory.

Under IIS 6.0, the path gets mapped to "C:\WebSite\Root\Files\..\Config",
ignoring the 'Config' virtual directory mapping.

Is there a special setting I should be aware of in IIS 6.0 to ensure correct
mapping of virtual paths?

Shouldn't that be Server.MapPath("/Config") ? It's a virtual folder
under the root, if you wanted to get to the folder in a url you'd use
http://{host}.{Domain}.{TLD}/Config/ so that's where the MapPath
should point.

Jeff

Hi Jeff

Sorry for the typo error

I am using the following folder structure:

c:\website\root\files\foo.asp
c:\website\root\configfiles\1\foo.txt

Virtual directories:

The website in IIS is mapped to c:\website

/Root points to c:\website\root
/Root/Config points to c:\website\configfiles\1

In foo.asp there is code that tries to access foo.txt by using
Server.MapPath(/Root/Files/../Config/) to map the file folder.

In IIS 6.0 (Windows SBS 2003):
1. Server.MapPath(/Root/Files/../Config/) returns c:\website\root\config
(wrong)
2. Server.MapPath(/Root/Config/) returns
c:\website\root\configfiles\1 (correct)

In IIS 5.0 (Windows 2000) both return the same correct result (2)

I am now using option 2 so I can continue my work, but I'd like to
understand what's wrong with my original code.

The ParentPath option is set in both IIS 5 and IIS 6

Thanks for your help,

Elie Grouchko

"Jeff Cochran" <je*********@zina.com> wrote in message
news:41***************@msnews.microsoft.com...

On Sat, 1 Jan 2005 19:02:44 +0200, "Elie Grouchko"
<eg*******@hotmail.com> wrote:

Hi

I am running exactly the same ASP code on IIS 5.0 and IIS 6.0

I am calling Server.MapPath(), the parameter is a virtual path that
includes
a reference to a parent path ("Root/Files/../Config/"). 'Config' is a
virtual directory under 'Root' which is also a virtual directory. 'Files'
is
a normal folder.

Under IIS 5.0, the path is correctly mapped to the local path of the
'Config' virtual directory.

Under IIS 6.0, the path gets mapped to "C:\WebSite\Root\Files\..\Config",
ignoring the 'Config' virtual directory mapping.

Is there a special setting I should be aware of in IIS 6.0 to ensure
correct
mapping of virtual paths?

Shouldn't that be Server.MapPath("/Config") ? It's a virtual folder
under the root, if you wanted to get to the folder in a url you'd use
http://{host}.{Domain}.{TLD}/Config/ so that's where the MapPath
should point.

Jeff

Elie Grouchko wrote on 03 jan 2005 in
microsoft.public.inetserver.asp.general:

In foo.asp there is code that tries to access foo.txt by using
Server.MapPath(/Root/Files/../Config/) to map the file folder.

This does not work, Elie.

Server.MapPath() needs a string argument
and /Root/Files/../Config/ will not evaluate to a string.

result = Server.MapPath("/Root/Files/../Config/")

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Since you say you have parentpaths enabled in both versions I suspect that
it is a security change. You always know the site-relative path to the
config directory so just use "/root/config/"

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Elie Grouchko" <eg*******@hotmail.com> wrote in message
news:em**************@TK2MSFTNGP12.phx.gbl...

Hi Jeff

Sorry for the typo error

I am using the following folder structure:

c:\website\root\files\foo.asp
c:\website\root\configfiles\1\foo.txt

Virtual directories:

The website in IIS is mapped to c:\website

/Root points to c:\website\root
/Root/Config points to c:\website\configfiles\1

In foo.asp there is code that tries to access foo.txt by using
Server.MapPath(/Root/Files/../Config/) to map the file folder.

In IIS 6.0 (Windows SBS 2003):
1. Server.MapPath(/Root/Files/../Config/) returns c:\website\root\config
(wrong)
2. Server.MapPath(/Root/Config/) returns
c:\website\root\configfiles\1 (correct)

In IIS 5.0 (Windows 2000) both return the same correct result (2)

I am now using option 2 so I can continue my work, but I'd like to
understand what's wrong with my original code.

The ParentPath option is set in both IIS 5 and IIS 6

Thanks for your help,

Elie Grouchko

"Jeff Cochran" <je*********@zina.com> wrote in message
news:41***************@msnews.microsoft.com...

On Sat, 1 Jan 2005 19:02:44 +0200, "Elie Grouchko"
<eg*******@hotmail.com> wrote:

Hi

I am running exactly the same ASP code on IIS 5.0 and IIS 6.0

I am calling Server.MapPath(), the parameter is a virtual path that
includes
a reference to a parent path ("Root/Files/../Config/"). 'Config' is a
virtual directory under 'Root' which is also a virtual directory. 'Files'is
a normal folder.

Under IIS 5.0, the path is correctly mapped to the local path of the
'Config' virtual directory.

Under IIS 6.0, the path gets mapped to "C:\WebSite\Root\Files\..\Config",ignoring the 'Config' virtual directory mapping.

Is there a special setting I should be aware of in IIS 6.0 to ensure
correct
mapping of virtual paths?

Shouldn't that be Server.MapPath("/Config") ? It's a virtual folder
under the root, if you wanted to get to the folder in a url you'd use
http://{host}.{Domain}.{TLD}/Config/ so that's where the MapPath
should point.

Jeff

On Mon, 3 Jan 2005 12:04:28 +0200, "Elie Grouchko"
<eg*******@hotmail.com> wrote:

Hi Jeff

Sorry for the typo error

I am using the following folder structure:

c:\website\root\files\foo.asp
c:\website\root\configfiles\1\foo.txt

Virtual directories:

The website in IIS is mapped to c:\website

/Root points to c:\website\root
/Root/Config points to c:\website\configfiles\1

In foo.asp there is code that tries to access foo.txt by using
Server.MapPath(/Root/Files/../Config/) to map the file folder.

In IIS 6.0 (Windows SBS 2003):
1. Server.MapPath(/Root/Files/../Config/) returns c:\website\root\config
(wrong)
Well, that's exactly where it should go. From the website it goes to
root, then down to files, then back up to root, then down to config.
2. Server.MapPath(/Root/Config/) returns
c:\website\root\configfiles\1 (correct)
That's where it should go as well, to the virtual folder.

Your issue is traversing files, which has changed. You can't traverse
down then back up then into a virtual folder as before. And there was
a file traversal security fix for w2K that should have prevented this
in IIS5, as would using the IIS Lockdown Tool.

Jeff
In IIS 5.0 (Windows 2000) both return the same correct result (2)

I am now using option 2 so I can continue my work, but I'd like to
understand what's wrong with my original code.

The ParentPath option is set in both IIS 5 and IIS 6

Thanks for your help,

Elie Grouchko

"Jeff Cochran" <je*********@zina.com> wrote in message
news:41***************@msnews.microsoft.com...

On Sat, 1 Jan 2005 19:02:44 +0200, "Elie Grouchko"
<eg*******@hotmail.com> wrote:

Hi

I am running exactly the same ASP code on IIS 5.0 and IIS 6.0

I am calling Server.MapPath(), the parameter is a virtual path that
includes
a reference to a parent path ("Root/Files/../Config/"). 'Config' is a
virtual directory under 'Root' which is also a virtual directory. 'Files'
is
a normal folder.

Under IIS 5.0, the path is correctly mapped to the local path of the
'Config' virtual directory.

Under IIS 6.0, the path gets mapped to "C:\WebSite\Root\Files\..\Config",
ignoring the 'Config' virtual directory mapping.

Is there a special setting I should be aware of in IIS 6.0 to ensure
correct
mapping of virtual paths?

Shouldn't that be Server.MapPath("/Config") ? It's a virtual folder
under the root, if you wanted to get to the folder in a url you'd use
http://{host}.{Domain}.{TLD}/Config/ so that's where the MapPath
should point.

Jeff

I didn't think about security issues, it does make sense now.

Thanks for your help

Elie Grouchko
"Jeff Cochran" <je*********@zina.com> wrote in message
news:41****************@msnews.microsoft.com...

On Mon, 3 Jan 2005 12:04:28 +0200, "Elie Grouchko"
<eg*******@hotmail.com> wrote:

Hi Jeff

Sorry for the typo error

I am using the following folder structure:

c:\website\root\files\foo.asp
c:\website\root\configfiles\1\foo.txt

Virtual directories:

The website in IIS is mapped to c:\website

/Root points to c:\website\root
/Root/Config points to c:\website\configfiles\1

In foo.asp there is code that tries to access foo.txt by using
Server.MapPath(/Root/Files/../Config/) to map the file folder.

In IIS 6.0 (Windows SBS 2003):
1. Server.MapPath(/Root/Files/../Config/) returns c:\website\root\config
(wrong)

Well, that's exactly where it should go. From the website it goes to
root, then down to files, then back up to root, then down to config.

2. Server.MapPath(/Root/Config/) returns
c:\website\root\configfiles\1 (correct)

That's where it should go as well, to the virtual folder.

Your issue is traversing files, which has changed. You can't traverse
down then back up then into a virtual folder as before. And there was
a file traversal security fix for w2K that should have prevented this
in IIS5, as would using the IIS Lockdown Tool.

Jeff

In IIS 5.0 (Windows 2000) both return the same correct result (2)

I am now using option 2 so I can continue my work, but I'd like to
understand what's wrong with my original code.

The ParentPath option is set in both IIS 5 and IIS 6

Thanks for your help,

Elie Grouchko

"Jeff Cochran" <je*********@zina.com> wrote in message
news:41***************@msnews.microsoft.com...

On Sat, 1 Jan 2005 19:02:44 +0200, "Elie Grouchko"
<eg*******@hotmail.com> wrote:

Hi

I am running exactly the same ASP code on IIS 5.0 and IIS 6.0

I am calling Server.MapPath(), the parameter is a virtual path that
includes
a reference to a parent path ("Root/Files/../Config/"). 'Config' is a
virtual directory under 'Root' which is also a virtual directory.
'Files'
is
a normal folder.

Under IIS 5.0, the path is correctly mapped to the local path of the
'Config' virtual directory.

Under IIS 6.0, the path gets mapped to
"C:\WebSite\Root\Files\..\Config",
ignoring the 'Config' virtual directory mapping.

Is there a special setting I should be aware of in IIS 6.0 to ensure
correct
mapping of virtual paths?

Shouldn't that be Server.MapPath("/Config") ? It's a virtual folder
under the root, if you wanted to get to the folder in a url you'd use
http://{host}.{Domain}.{TLD}/Config/ so that's where the MapPath
should point.

Jeff