Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Security problem when dynamically creating directories (http://www.velocityreviews.com/forums/t766683-security-problem-when-dynamically-creating-directories.html)

Eran Kampf 10-13-2004 07:49 PM

Security problem when dynamically creating directories
 
I am trying to dynamically create directories in my ASP.NET application (I
am using Server.MapPath("/")+"test" as the folder)
and I am getting a DirectoryNotFoundException saying "Could not find a part
of the path "D:\".
My site is hosted on a public ISP that for obvious security reasons does not
allow my read access above my wwwroot folder which seems to be a problem
when trying to create directories...

Is there any way to solve this?

--
Eran Kampf
blog: http://www.ekampf.com/blog
Sharp3D.Math: http://www.ekampf.com/Sharp3D.Math/



Sahil Malik 10-13-2004 08:13 PM

Re: Security problem when dynamically creating directories
 
Certain ISPs won't let you touch the filesystem even in the wwwroot. Your
only option is to pretty much stick with the ISPs rules, be a good boy and
create your directories only within wwwroot.

Actually create them in a subdirectory within wwwroot, so that you can limit
write access control to only that subdir (and no code lives there).

- Sahil Malik
You can reach me thru my blog at
http://www.dotnetjunkies.com/weblog/sahilmalik



"Eran Kampf" <eran@ekampf.com> wrote in message
news:%23SFw73VsEHA.1520@TK2MSFTNGP11.phx.gbl...
> I am trying to dynamically create directories in my ASP.NET application (I
> am using Server.MapPath("/")+"test" as the folder)
> and I am getting a DirectoryNotFoundException saying "Could not find a

part
> of the path "D:\".
> My site is hosted on a public ISP that for obvious security reasons does

not
> allow my read access above my wwwroot folder which seems to be a problem
> when trying to create directories...
>
> Is there any way to solve this?
>
> --
> Eran Kampf
> blog: http://www.ekampf.com/blog
> Sharp3D.Math: http://www.ekampf.com/Sharp3D.Math/
>
>




Eran Kampf 10-13-2004 08:37 PM

Re: Security problem when dynamically creating directories
 
The following error is when trying to create a subdirectory udner wwwroot
which is fine with the ISP....
It seems that the problem occurs because of ISP security above the wwwroot
level.

By the way,
The ISP support guy tried creating a directory using old asp (FileSystem
object) and had no problems...

"Sahil Malik" <contactmethrumyblog@nospam.com> wrote in message
news:%23lYqpEWsEHA.2660@TK2MSFTNGP12.phx.gbl...
> Certain ISPs won't let you touch the filesystem even in the wwwroot. Your
> only option is to pretty much stick with the ISPs rules, be a good boy and
> create your directories only within wwwroot.
>
> Actually create them in a subdirectory within wwwroot, so that you can
> limit
> write access control to only that subdir (and no code lives there).
>
> - Sahil Malik
> You can reach me thru my blog at
> http://www.dotnetjunkies.com/weblog/sahilmalik
>
>
>
> "Eran Kampf" <eran@ekampf.com> wrote in message
> news:%23SFw73VsEHA.1520@TK2MSFTNGP11.phx.gbl...
>> I am trying to dynamically create directories in my ASP.NET application
>> (I
>> am using Server.MapPath("/")+"test" as the folder)
>> and I am getting a DirectoryNotFoundException saying "Could not find a

> part
>> of the path "D:\".
>> My site is hosted on a public ISP that for obvious security reasons does

> not
>> allow my read access above my wwwroot folder which seems to be a problem
>> when trying to create directories...
>>
>> Is there any way to solve this?
>>
>> --
>> Eran Kampf
>> blog: http://www.ekampf.com/blog
>> Sharp3D.Math: http://www.ekampf.com/Sharp3D.Math/
>>
>>

>
>




YK 10-13-2004 11:39 PM

Re: Security problem when dynamically creating directories
 
Hi Eran,

If you are sure that you can write to wwwroot using the old ASP approach
(possibly through FileSystemObject), you can try enable impersonation for
your ASP.NET application. In fact, the default ASPNET account needs to
impersonate the client (or another account with higher access privilege on
wwwroot) in order for the file system to honour the NTFS permission.

Thanks,
YK




"Eran Kampf" wrote:

> The following error is when trying to create a subdirectory udner wwwroot
> which is fine with the ISP....
> It seems that the problem occurs because of ISP security above the wwwroot
> level.
>
> By the way,
> The ISP support guy tried creating a directory using old asp (FileSystem
> object) and had no problems...
>
> "Sahil Malik" <contactmethrumyblog@nospam.com> wrote in message
> news:%23lYqpEWsEHA.2660@TK2MSFTNGP12.phx.gbl...
> > Certain ISPs won't let you touch the filesystem even in the wwwroot. Your
> > only option is to pretty much stick with the ISPs rules, be a good boy and
> > create your directories only within wwwroot.
> >
> > Actually create them in a subdirectory within wwwroot, so that you can
> > limit
> > write access control to only that subdir (and no code lives there).
> >
> > - Sahil Malik
> > You can reach me thru my blog at
> > http://www.dotnetjunkies.com/weblog/sahilmalik
> >
> >
> >
> > "Eran Kampf" <eran@ekampf.com> wrote in message
> > news:%23SFw73VsEHA.1520@TK2MSFTNGP11.phx.gbl...
> >> I am trying to dynamically create directories in my ASP.NET application
> >> (I
> >> am using Server.MapPath("/")+"test" as the folder)
> >> and I am getting a DirectoryNotFoundException saying "Could not find a

> > part
> >> of the path "D:\".
> >> My site is hosted on a public ISP that for obvious security reasons does

> > not
> >> allow my read access above my wwwroot folder which seems to be a problem
> >> when trying to create directories...
> >>
> >> Is there any way to solve this?
> >>
> >> --
> >> Eran Kampf
> >> blog: http://www.ekampf.com/blog
> >> Sharp3D.Math: http://www.ekampf.com/Sharp3D.Math/
> >>
> >>

> >
> >

>
>
>


Nicole Calinoiu 10-14-2004 11:41 AM

Re: Security problem when dynamically creating directories
 
Eran,

Server.MapPath("/") will return the path to the site root, which is not
necessarily the root folder of your application. You should have better
luck with Server.MapPath(null). In addition, the value returned may not
have a trailing backslash. To ensure proper path generation, use
Path.Combine rather than simple concatenation. e.g.:
System.IO.Path.Combine(Server.MapPath(null), "test").

If the above still doesn't work, have you tried simply writing the output
from Server.MapPath to an ASPX page so that you can view the value? Is the
returned value a path on which the execution context user should have
adequate permissions to perform the operations that you are attempting?

HTH,
Nicole



"Eran Kampf" <eran@ekampf.com> wrote in message
news:%23SFw73VsEHA.1520@TK2MSFTNGP11.phx.gbl...
>I am trying to dynamically create directories in my ASP.NET application (I
> am using Server.MapPath("/")+"test" as the folder)
> and I am getting a DirectoryNotFoundException saying "Could not find a
> part
> of the path "D:\".
> My site is hosted on a public ISP that for obvious security reasons does
> not
> allow my read access above my wwwroot folder which seems to be a problem
> when trying to create directories...
>
> Is there any way to solve this?
>
> --
> Eran Kampf
> blog: http://www.ekampf.com/blog
> Sharp3D.Math: http://www.ekampf.com/Sharp3D.Math/
>




Eran Kampf 10-14-2004 06:35 PM

Re: Security problem when dynamically creating directories
 
The path I am trying to create is correct.
I checked the knowledge base and I think the problem is due to the fact that
D is a mapped network drive while the asp.net worker process is a local user
that has no network access and thus cannot access the network drive.

If that is true then
1. How creating a directory with old ASP FileSystem object works fine?
2. How come creating\reading\writing files in existing directories work
fine?

"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:Onk5HPesEHA.3336@tk2msftngp13.phx.gbl...
> Eran,
>
> Server.MapPath("/") will return the path to the site root, which is not
> necessarily the root folder of your application. You should have better
> luck with Server.MapPath(null). In addition, the value returned may not
> have a trailing backslash. To ensure proper path generation, use
> Path.Combine rather than simple concatenation. e.g.:
> System.IO.Path.Combine(Server.MapPath(null), "test").
>
> If the above still doesn't work, have you tried simply writing the output
> from Server.MapPath to an ASPX page so that you can view the value? Is
> the returned value a path on which the execution context user should have
> adequate permissions to perform the operations that you are attempting?
>
> HTH,
> Nicole
>
>
>
> "Eran Kampf" <eran@ekampf.com> wrote in message
> news:%23SFw73VsEHA.1520@TK2MSFTNGP11.phx.gbl...
>>I am trying to dynamically create directories in my ASP.NET application (I
>> am using Server.MapPath("/")+"test" as the folder)
>> and I am getting a DirectoryNotFoundException saying "Could not find a
>> part
>> of the path "D:\".
>> My site is hosted on a public ISP that for obvious security reasons does
>> not
>> allow my read access above my wwwroot folder which seems to be a problem
>> when trying to create directories...
>>
>> Is there any way to solve this?
>>
>> --
>> Eran Kampf
>> blog: http://www.ekampf.com/blog
>> Sharp3D.Math: http://www.ekampf.com/Sharp3D.Math/
>>

>
>




Nicole Calinoiu 10-15-2004 11:29 AM

Re: Security problem when dynamically creating directories
 
"Eran Kampf" <eran@ekampf.com> wrote in message
news:OeCUNzhsEHA.1520@TK2MSFTNGP11.phx.gbl...
> The path I am trying to create is correct.
> I checked the knowledge base and I think the problem is due to the fact
> that D is a mapped network drive while the asp.net worker process is a
> local user that has no network access and thus cannot access the network
> drive.


If it's a mapped network drive, and you're trying to create directories
within you application folder, is your application folder running from this
mapped drive? If not, could you please provide the directory mapping for
your application and the target folders?

>
> If that is true then
> 1. How creating a directory with old ASP FileSystem object works fine?


For starters, it's most likely using a different user context.


> 2. How come creating\reading\writing files in existing directories work
> fine?


Without more information, all I could possibly do is make some rather wild
guesses. <g> It would really help if you could provide a relevant code
extract, indicating the line on which the exception is thrown and the
complete exception details.


>
> "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
> news:Onk5HPesEHA.3336@tk2msftngp13.phx.gbl...
>> Eran,
>>
>> Server.MapPath("/") will return the path to the site root, which is not
>> necessarily the root folder of your application. You should have better
>> luck with Server.MapPath(null). In addition, the value returned may not
>> have a trailing backslash. To ensure proper path generation, use
>> Path.Combine rather than simple concatenation. e.g.:
>> System.IO.Path.Combine(Server.MapPath(null), "test").
>>
>> If the above still doesn't work, have you tried simply writing the output
>> from Server.MapPath to an ASPX page so that you can view the value? Is
>> the returned value a path on which the execution context user should have
>> adequate permissions to perform the operations that you are attempting?
>>
>> HTH,
>> Nicole
>>
>>
>>
>> "Eran Kampf" <eran@ekampf.com> wrote in message
>> news:%23SFw73VsEHA.1520@TK2MSFTNGP11.phx.gbl...
>>>I am trying to dynamically create directories in my ASP.NET application
>>>(I
>>> am using Server.MapPath("/")+"test" as the folder)
>>> and I am getting a DirectoryNotFoundException saying "Could not find a
>>> part
>>> of the path "D:\".
>>> My site is hosted on a public ISP that for obvious security reasons does
>>> not
>>> allow my read access above my wwwroot folder which seems to be a problem
>>> when trying to create directories...
>>>
>>> Is there any way to solve this?
>>>
>>> --
>>> Eran Kampf
>>> blog: http://www.ekampf.com/blog
>>> Sharp3D.Math: http://www.ekampf.com/Sharp3D.Math/
>>>

>>
>>

>
>





All times are GMT. The time now is 09:53 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.