Getting 404 errors on files that are present

Getting 404 errors on files that are present

am 30.04.2007 01:00:58 von Tom Miller

I run a website with over 770,000 files for downloading. I am getting 404
errors for files that you can clearly "see" because the page that your
seeing was created on the fly by the directory browsing feature. I don't
think I was having this much trouble with the Sever 2000/iis v? but I seem
to be having much more trouble now.

The thing that all the files that are getting these errors have in common is
they are text files with "funny" extensions like ".lst" or ".dir" or ".bbs"

My small webhost thinks that there is a "security" switch that will cause
iis to be willing to serve any file in a sub-directory. Does anyone have a
clue?
Thanks,


--
Tom Miller, Occasional PowerUser (Mcp, Mous, A+) and sometime Web Developer
Wannabe, More at: http://bccs.chatnfiles.com/ecard3.htm, International
Webmasters Assoc: www.iwanet.org, Owner: www.ChatNFiles.com bbs, Home of
770,000+ downloads.



--
Posted via a free Usenet account from http://www.teranews.com

Re: Getting 404 errors on files that are present

am 30.04.2007 01:37:44 von David Wang

It's a security feature in IIS6 to not allow downloads of static files
which do not have a MIME Type.

It is actually a good feature for many reasons. Unfortunately, the
rules of running a website properly seem troublesome to many -- here's
my rationalization for the feature and what you should do.
1. It forces user to provide a proper Content-Type for every single
static file response. This allows the browser to know how to correctly
handle the static file. Because of the large number of websites that
do not do this properly (probably because most users don't know about
it), browsers like IE and FireFox have had to implement client-side
hacks to "guess" the file type based on attributes of the response,
such as URL extension, sniffing the first # bytes of the response to
see if it matches various file signatures, etc, and then launch the
client-side plugins to handle the response. This mechanism is
imprecise and buggy and have led to all other sorts of application
hacks and more browser hacks.
2. It closes a security loophole when you decide to remove an
application extension mapping by not allowing that extension to
automatically be downloadable. For example, if you ran ASP pages on
IIS5 and put SQL username/password into the ASP page, if you remove
the .asp application mapping in IIS5, people can directly request the
ASP page and get its contents as a static file, exposing the username/
password. IIS6 will block that because .ASP would not have a MIME
Type.


I suggest you put all your downloadable files in one directory tree,
and just for that tree, add a MIME Type for *, application/octet-
stream. That way, all downloadable files get the Content-Type of
application/octet-stream, which browsers know to interpret as "show
the download dialog box".

If your files are scattered everywhere, then you'll have to set the *
MIME Type everywhere applicable

P.S. You actually had far more trouble with the IIS on Windows 2000
with all of its security vulnerabilities. IIS6 has had negligible
security issues, though it does force the user to be more up-front
with ambiguous/security issues, like this one. It may appear to be
"more trouble" and less "hands off -- just works", but reality is that
once you do your due-diligence on IIS6, it is just as "hands off". I
see it as IIS on Windows 2000 made users irresponsible with the power
they wielded.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Apr 29, 4:00 pm, "Tom Miller" wrote:
> I run a website with over 770,000 files for downloading. I am getting 404
> errors for files that you can clearly "see" because the page that your
> seeing was created on the fly by the directory browsing feature. I don't
> think I was having this much trouble with the Sever 2000/iis v? but I seem
> to be having much more trouble now.
>
> The thing that all the files that are getting these errors have in common is
> they are text files with "funny" extensions like ".lst" or ".dir" or ".bbs"
>
> My small webhost thinks that there is a "security" switch that will cause
> iis to be willing to serve any file in a sub-directory. Does anyone have a
> clue?
> Thanks,
>
> --
> Tom Miller, Occasional PowerUser (Mcp, Mous, A+) and sometime Web Developer
> Wannabe, More at: http://bccs.chatnfiles.com/ecard3.htm, International
> Webmasters Assoc:www.iwanet.org, Owner:www.ChatNFiles.combbs, Home of
> 770,000+ downloads.
>
> --
> Posted via a free Usenet account fromhttp://www.teranews.com