Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at RIA Unleashed (Nov. 2010) with:

The '..' Characters Are Not Allowed In The Path Parameter For The MapPath Method

By Ben Nadel on

I am covering for someone on vacation was given the task of configuring XStandard on a client site. The web services were not working and when accessed directly, the error they throw is:

The '..' characters are not allowed in the Path parameter for the MapPath method

The client is running off of the ASP version of the web services, not my ColdFusion implementation (again, not my client). This doesn't apply to my ColdFusion version, but, since I do so much Xstandard work, I figure I would post up the reason this happens. It's all about security. If you can put ".." in your MapPath() method, then you can go outside of your web root and I guess that freaks some people out. XStandard PRO needs this though because it uploads files to dynamic paths. So, we must allow ".." characters otherwise, we would never know to where we were uploading.

To remedy this (as taken off of the Fog Creek Software site):

  1. Open IIS Manager, right click and choose properties on your [SITE_NAME] virtual directory (or the website root if [SITE_NAME] is installed at the root.
     
  2. Click the Home Directory or Virtual Directory tab and choose the 'Configuration' button on that tab.
     
  3. Click the Options tab and make sure the "Enable parent paths" setting is enabled.

Now, when accessed directly, the web services say: "Status: Ready".




Reader Comments

Thank you...you are the only person on the web with a solution to this obscure 'gotcha'. I am building ASP sites on my WinXP laptop and then deploying on a Win2003 Server. The newer version of IIS on the server adds this security "feature".

Reply to this Comment

This site is interesting and very informative, nicely interface. Enjoyed browsing through the site

Reply to this Comment

This problem may also be solved using Request.ServerVariables("APPL_PHYSICAL_PATH") which returns the path to the root folder.
So, if you want to access a file in a parent directory like ../MyFiles/Image.gif it is ok to write

MyPath = Request.ServerVariables("APPL_PHYSICAL_PATH")+"/MyFiles/Image.gif"

Reply to this Comment

Thanks a million! I was having almost the same problem as Neil Laslett: site developed for use, and working perfectly, on XP, was playing up when I tried to move it to Vista.

Reply to this Comment

Great fix.
It must be horrible (not saying this is what happened) when you have to go fill in for someone, and find the way they do things is totally wrong. And you have to fix all of their misnomers, so that they probably receive the praise for things working 'so well' when they get back.
I've had many a time a situation like that. Well, especially in the corporate environment. At least now I work for myself, but it can still happen with some contracts.

Reply to this Comment

for what its worth, i'd go with kyty's request.servervariables suggestion as enabling parent paths can still (depending on version and configuration) pose a security risk in iis.

Reply to this Comment

Thanks this solved my problem. Got an old university project working again in 2012!!!

Reply to this Comment

Post A Comment

?
You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.