Re: ISS 6.0 and tilde

From: Chris Storey (toolate_at_blueyonder.co.uk)
Date: 06/09/04 

Date: Wed, 9 Jun 2004 23:11:15 +0100

Unfortunately I can't test this just now as I have to run the server in IIS
5.0 isolation mode to ensure that the session doesn't get randomly lost when
the worker process restarted. When I have figured out a way to make the
sessions persist in a classic ASP application without relying on session
cookies I'll test it :o)

Thanks for the help :o)

"Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message
news:u8KlrHkTEHA.2716@tk2msftngp13.phx.gbl...
> Hi Chris,
>
> I think I know what's going on here. If I'm right, then this is a bug
that
> we've seen in IIS 6 and are currently investigating for a possible fix in
> Windows 2003 SP1.
>
> I believe that what's happening here is that we consider the filename to
be
> a candidate for a short file name check due to it ending in "~n", where n
is
> one or more digits. Normally, we would check with the file system and see
> that, in your case, it is not a short file name and we'd serve the file.
> What you are probably seeing, though, is that the worker process itself
does
> not have access to check the file system for that file. Since we can't
> check the file system, we fail the request. What should happen is that
IIS
> should make this check after the request has been authenticated, so that
the
> check can happen in the security context of the client user and not the
> worker process.
>
> You might be able to work around the problem by either changing the
identity
> of the worker process so that it has access to the file (running it as
local
> system would be a good test, but probably not a good fix for obvious
> reasons.) Another possibility, and probably a better one, would be to
make
> sure that the user identity of the worker process has sufficient access to
> the content directory to make this check. I believe that read access
should
> be sufficient, but the file monitoring utility you are using could confirm
> this.
>
> I hope that this helps,
> -Wade A. Hilmo,
> -Microsoft
>
> "Chris Storey" <toolate@blueyonder.co.uk> wrote in message
> news:u7Ne8NYTEHA.1412@TK2MSFTNGP11.phx.gbl...
> > I decided to see what would happen if I run the IIS 6.0 in IIS 5.0
> Isolation
> > mode and the problem has now gone away.
> > Is this mode as safe?
> >
> > Doing a dir *test* shows the files exactly as they are saved.
Futhermore,
> > opening the files from the command prompt works too.
> >
> > Thanks
> > Chris Storey
> >
> > "Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message
> > news:O4ddy8XTEHA.3016@tk2msftngp13.phx.gbl...
> > > Hi Chris,
> > >
> > > I don't know off the top of my head how IIS identifies short file
names.
> > I
> > > thought that it actually queried the file system when it sees a short
> file
> > > name candidate. It might be interesting to do a "dir /x" in the
> directory
> > > that contains this file and see what it shows.
> > >
> > > As for disabling the behavior, there is no way to do so - and you
don't
> > want
> > > to do. IIS uses metadata to deterimine what a URL is, how it should
be
> > > processed, and what read/write/execute actions are allowed. This
> metadata
> > > is only valid for the full file name, so you would open a serious
> security
> > > hole by allowing IIS to serve content by short file names, because the
> > > metadata would be wrong.
> > >
> > > Thank you,
> > > -Wade A. Hilmo,
> > > -Microsoft
> > >
> > > "Chris Storey" <toolate@blueyonder.co.uk> wrote in message
> > > news:u6NFRnWTEHA.3580@TK2MSFTNGP09.phx.gbl...
> > > > Hello,
> > > >
> > > > Think we might be getting close now.
> > > >
> > > > http://www.minigallery.co.uk/test~test.asp works (just a basic page
> with
> > > > nothing there) whereas http://www.minigallery.co.uk/test~2.asp
doesn't
> > > > work - because of the fact it believes it must be a shortened file
> name.
> > > The
> > > > test~2.asp is the actual file name and unfortunately my files end
with
> > > > numbers rather than words.
> > > >
> > > > Is it possible to turn this behaviour off and if so what value do I
> > edit?
> > > >
> > > > Thanks
> > > >
> > > > Chris Storey
> > > >
> > > >
> > > > "Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message
> > > > news:uyGEYXWTEHA.2716@tk2msftngp13.phx.gbl...
> > > > > Hi Chris,
> > > > >
> > > > > Is "test~2.htm" the short file representation for a long file
name?
> > IIS
> > > > > will not serve files using their short file name for security
> reasons
> > > > > (specifically, IIS metadata is associated with the "real" file
name,
> > and
> > > > not
> > > > > the short version.)
> > > > >
> > > > > Thank you,
> > > > > -Wade A. Hilmo,
> > > > > -Microsoft
> > > > >
> > > > > "Chris Storey" <toolate@blueyonder.co.uk> wrote in message
> > > > > news:u22Ja1VTEHA.3224@TK2MSFTNGP10.phx.gbl...
> > > > > > http://www.minigallery.co.uk/~test.htm
> > > > > >
> > > > > > The tilde at the beginning of the file name i believe is
reference
> > the
> > > > > > application root. As you can see if you click the link above
this
> > > works,
> > > > > no
> > > > > > problems. The problem I have is the tilde is in the middle of
the
> > file
> > > > > name.
> > > > > >
> > > > > > A permissions error sounds likely, however, the Show Friendly
HTTP
> > > > Rrrors
> > > > > > option is unticked - "Access is denied." is all that I am
getting.
> > > > > >
> > > > > > It is possible that this is being generated from a file
somewhere
> > with
> > > > on
> > > > > > error resume next set, however, why would a htm file produce the
> > same
> > > > > result
> > > > > > as an asp page?
> > > > > >
> > > > > > Thanks for the assistance :o)
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Paul Lynch" <paul.lynch@nospam.com> wrote in message
> > > > > > news:njebc0dv509hgm1n6qjk33k12a7apda8pi@4ax.com...
> > > > > > > On Tue, 8 Jun 2004 02:53:04 +0100, "Chris Storey"
> > > > > > > <toolate@blueyonder.co.uk> wrote:
> > > > > > >
> > > > > > > >Hello,
> > > > > > > >
> > > > > > > >I understand that the tilde character is useful for aspx
> > > > applications,
> > > > > > > >however, for an asp application it is proving problematic.
> > > > > > > >
> > > > > > > >Basically, if I have a file name containing the tilde
character
> > (~)
> > > I
> > > > > > simply
> > > > > > > >get an error message:
> > > > > > > >"Access is denied."
> > > > > > > >
> > > > > > > >I have no idea where this page is being generated which isn't
> too
> > > > > > helpful,
> > > > > > > >however, it does the same for accessing a htm page as an asp
> > page:
> > > > > > > >www.minigallery.co.uk/test~2.asp
> > > > > > > >www.minigallery.co.uk/test~2.htm
> > > > > > > >
> > > > > > > >In IIS 5.0 this was not a problem - we have very recently
move
> > the
> > > > > > website
> > > > > > > >to a new server with IIS 6.0 and have a good few hundred
pages
> > with
> > > ~
> > > > > in
> > > > > > the
> > > > > > > >file name.
> > > > > > > >
> > > > > > > >Any ideas how the tilde can be made to work properly?
> > > > > > > >
> > > > > > > >Thanks in advance
> > > > > > > >
> > > > > > > >Chris Storey
> > > > > > > >
> > > > > > >
> > > > > > > Chris,
> > > > > > >
> > > > > > > I can't reproduce the problem you describe on a default IIS6
> > > > > > > installation. All my test files (I called them ~tilde.asp and
> > > > > > > ~tilde.htm respectively) worked just fine.
> > > > > > >
> > > > > > > Uncheck Show Friendly HTTP Errors in your browser and post the
> > exact
> > > > > > > error message. It sounds like permissions to me.
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Paul Lynch
> > > > > > > MCSE
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>