Re: ISS 6.0 and tilde

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Wade A. Hilmo [MS] (wadeh_at_microsoft.com)
Date: 06/10/04 

Date: Wed, 9 Jun 2004 17:34:52 -0700

Hi Egbert,

Back when we were designing IIS 6, we met with some of the key folks on the
file system team, and it turns out that there is no way we can prevent the
operating system from opening short file names unless they are disabled at
the OS level (including \\?\ and \\.\ syntaxes.) And we can't disable them
at the OS level because there are other things that ship on the CD that
depend on short file name support. We would have liked very much to avoid
testing for this, but we're still stuck with it.

Thank you,
-Wade A. Hilmo,
-Microsoft

"Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> wrote in
message news:OCH2r4nTEHA.1368@TK2MSFTNGP11.phx.gbl...
> "Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message
> news:uvvwHKkTEHA.2704@TK2MSFTNGP10.phx.gbl...
> > Hi Egbert,
> >
> > We definitely do not consider '~' to be a dangerous character. In fact,
> > it's a pretty commonly used character in URLs.
> >
> > What's happening here is that, based on the pattern of "~n" at the end
of
> a
> > directory or filename, where 'n' is one or more digits, we consider the
> > filename to be a possible short file name. Serving files out by their
> short
> > name is a security issue, per my previous posts on this thread.
> >
> > The reason that the original poster is seeing a problem where other
people
> > are not is, I believe, an issue with the way that their content is
ACL'ed,
> > vs the order in which IIS does authentication and confirming whether the
> > file name is, in fact, a short file name.
>
> I understand. But what my point was, is that IIS should not 'test' for
> existance short file names. As long as the right NT or Win32 api is
called,
> Windows will not check short file names. I might be wrong, but that's my
> experience with filenames.
>

Relevant Pages

  • Re: * CGI can not open files in Windows 2003 Server IIS 6 *
    ... In IIS5 Isolation Mode, IIS debugging should be the same as before. ... your ISAPI and then attach-to and debug it. ... TheFileName:= ExtractFilePath+ FileName ...
    (microsoft.public.windows.server.security)
  • Re: ADODB.Stream Problem with IIS6 and IE
    ... IIS issue or not. ... when i trigger this script from a link in an email ... > download is not triggered correctly. ... It seems filename and content type ...
    (microsoft.public.inetserver.iis)
  • Re: directory listing
    ... Create a directory /PDFs in your webfolder and mark it in IIS or you deployment project as readable. ... an easy way is to create a dataset with a table (filename, date, etc...). ... I'd like my asp.net page to display a list of hyperlinks representing ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Default document default.aspx fails to resolve
    ... The filename given is the last part of the web site ... The only ISAPI filter shown by IIS running for the ... Default web site is 'stsfltr.dll' which I suspect is one ... >> you would get in Windows. ...
    (microsoft.public.inetserver.iis)
  • Re: ISS 6.0 and tilde
    ... We definitely do not consider '~' to be a dangerous character. ... filename to be a possible short file name. ... The reason that the original poster is seeing a problem where other people ... >> I don't know off the top of my head how IIS identifies short file names. ...
    (microsoft.public.inetserver.iis)