K
Kevin Baribeau
Hey guys,
I've written a class that inherites from
System.Web.Hosting.SimpleWorkerRequest in order to do some ASP.NET
processing outside of iis. Everything was working great until
Microsoft released the path validation vulnerability
(http://www.microsoft.com/technet/security/Bulletin/MS05-004.mspx).
My code issues a bunch of requests using my SimpleWorkerRequest
decendent and the static HttpRuntime.ProcessRequest method for a set of
files contained in a directory structure. As of the released security
fix, requests for any files that are not in the root of the directory
structure come back with 404s (not found). Currently, I use a
backslash in my code to denote a path to a file, if I change to using a
standard slash, the request brings back the .aspx page unmodified
(databinding expressions and page directives are preserved, as if
asp.net has done no processing).
I've done a lot of searching on this problem and found that at least
one other person has reproduced it
(http://groups.google.ca/group/DotNe...leworkerrequest&rnum=8&hl=en#02cb4f8cb67bbd5f),
but had no other luck.
Has anyone else experienced this? Is it a known bug in the framework
classes? Am I doing something wrong?
Any information, suggestions or pointers to more resources will be
greatly appreciated.
Thanks.
-------------------------
Kevin Baribeau
Programmer/Analyst
Point2 Technologies Inc.
www.point2.com
------------------------
I've written a class that inherites from
System.Web.Hosting.SimpleWorkerRequest in order to do some ASP.NET
processing outside of iis. Everything was working great until
Microsoft released the path validation vulnerability
(http://www.microsoft.com/technet/security/Bulletin/MS05-004.mspx).
My code issues a bunch of requests using my SimpleWorkerRequest
decendent and the static HttpRuntime.ProcessRequest method for a set of
files contained in a directory structure. As of the released security
fix, requests for any files that are not in the root of the directory
structure come back with 404s (not found). Currently, I use a
backslash in my code to denote a path to a file, if I change to using a
standard slash, the request brings back the .aspx page unmodified
(databinding expressions and page directives are preserved, as if
asp.net has done no processing).
I've done a lot of searching on this problem and found that at least
one other person has reproduced it
(http://groups.google.ca/group/DotNe...leworkerrequest&rnum=8&hl=en#02cb4f8cb67bbd5f),
but had no other luck.
Has anyone else experienced this? Is it a known bug in the framework
classes? Am I doing something wrong?
Any information, suggestions or pointers to more resources will be
greatly appreciated.
Thanks.
-------------------------
Kevin Baribeau
Programmer/Analyst
Point2 Technologies Inc.
www.point2.com
------------------------
anel.