The '..' Characters Are Not Allowed In The Path Parameter For The MapPath Method
Posted July 20, 2006 at 3:49 PM by Ben Nadel
I am covering for someone on vacation was given the task of configuring XStandard on a client site. The web services were not working and when accessed directly, the error they throw is:
The '..' characters are not allowed in the Path parameter for the MapPath method
The client is running off of the ASP version of the web services, not my ColdFusion implementation (again, not my client). This doesn't apply to my ColdFusion version, but, since I do so much Xstandard work, I figure I would post up the reason this happens. It's all about security. If you can put ".." in your MapPath() method, then you can go outside of your web root and I guess that freaks some people out. XStandard PRO needs this though because it uploads files to dynamic paths. So, we must allow ".." characters otherwise, we would never know to where we were uploading.
To remedy this (as taken off of the Fog Creek Software site):
- Open IIS Manager, right click and choose properties on your [SITE_NAME] virtual directory (or the website root if [SITE_NAME] is installed at the root.
- Click the Home Directory or Virtual Directory tab and choose the 'Configuration' button on that tab.
- Click the Options tab and make sure the "Enable parent paths" setting is enabled.
Now, when accessed directly, the web services say: "Status: Ready".
- Wanted: Full-Time ColdFusion Developer at Intoria Internet Architects
- Cold Fusion Senior Developer at Edge Information Management
- Back-End Web Developer-Information Technologist at Michigan State University
- ColdFusion Developer at Nonfat Media
- Mid-to-Senior Level Web Application Developer at SiteVision, Inc.
Thank you...you are the only person on the web with a solution to this obscure 'gotcha'. I am building ASP sites on my WinXP laptop and then deploying on a Win2003 Server. The newer version of IIS on the server adds this security "feature".
Glad to help.
This site is interesting and very informative, nicely interface. Enjoyed browsing through the site
This problem may also be solved using Request.ServerVariables("APPL_PHYSICAL_PATH") which returns the path to the root folder.
So, if you want to access a file in a parent directory like ../MyFiles/Image.gif it is ok to write
MyPath = Request.ServerVariables("APPL_PHYSICAL_PATH")+"/MyFiles/Image.gif"
I did not know that. Thanks for the hot tip.
Thanks a million! I was having almost the same problem as Neil Laslett: site developed for use, and working perfectly, on XP, was playing up when I tried to move it to Vista.
It must be horrible (not saying this is what happened) when you have to go fill in for someone, and find the way they do things is totally wrong. And you have to fix all of their misnomers, so that they probably receive the praise for things working 'so well' when they get back.
I've had many a time a situation like that. Well, especially in the corporate environment. At least now I work for myself, but it can still happen with some contracts.
Thanks for this post! =)
Nice! Miojo Solution! Thanks!
Thanks to kyty. The Request.ServerVariables method worked and solved my problem.
Very nice! Thanks!
Thanks, time saver!
for what its worth, i'd go with kyty's request.servervariables suggestion as enabling parent paths can still (depending on version and configuration) pose a security risk in iis.
Thanks this solved my problem. Got an old university project working again in 2012!!!