Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-7645-9698-8
12345678910
Blocking Restricted Directories
After the filter processes any cookieless tickets, the filter has IIS normalize the request URL’s representa-
tion. This is necessary because the filter enforces the restriction that browser users cannot request any
type of content from the protected directories in ASP.NET 2.0. Because ASP.NET 2.0 introduced new
“content” that in reality consists of code, data, resources, and other pieces of information, it is necessary
to prevent access to this information via a browser. The filter prevents access by scanning the normalized
URL, looking for one of the following paths:
/bin Compiled assemblies referenced by the application
/app_code Source code files with classes referenced elsewhere in an application
/app_data Data files such as .
xml, .mdb, or .mdf files
/app_globalresources Resources that are globally accessible throughout an application
/app_localresources Resources that are applicable to a specific directory
/app_webreferences WSDL files and compiled artifacts for Web Services
/app_browsers Browser capability files for determining browser functionality
If the filter finds a path segment with one of these paths, the filter returns an error to IIS, which is converted
into a 404 response and returned to the browser. For example, if a web server has a directory immediately
under
wwwroot called app_data with an HTML file called foo.htm, requesting the following URL still
result in a 404 even though the file does exist on the file system.
http://localhost/app_data/foo.htm
There had been some discussion at one point around having the filter perform a broad blocking of any
URLs that contained the characters
/app_ at the beginning of a path segment. However, this decision was
avoided because some developers may have already been using such a naming prefix in their directory
structures. If at all possible, it is recommended that developers move away from naming any directories
with the
/app_ prefix. In a future release of ASP.NET, the filter may support blocking any paths that
start with these characters not just the specific set of reserved directories in ASP.NET 2.0.
If you have valid reasons for creating directory structures on disk with any of the reserved names noted
earlier, you can disable the filter’s directory blocking behavior (although for security reasons this is
clearly not recommended). Registry settings to control the directory blocking behavior can be added as
DWORD values underneath the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\ASP.NET
After changing any of the settings shown in the following table, run iisreset to recycle the worker
processes. This forces
aspnet_filter.dll to read the new Registry settings when the filter is initialized
in a new worker process.
8
Chapter 1
04_596985 ch01.qxp 12/14/05 7:46 PM Page 8