Allow upload of app_* directories through WebDAV

Allow upload of app_* directories through WebDAV

am 31.03.2008 17:49:02 von Heinrich Moser

Hi!

We are using WebDAV to publish our ASP.NET applications to an IIS 6.0
server (W2k3). Everything works fine so far (including uploading aspx
files, after we discovered that "script source access" needs to be
activated), except for uploading App_* directories (App_Data,
App_LocalResources, App_GlobalResources, etc.) used by ASP.NET 2.0
applications (uploads to "bin" directories work fine, though).

I assume that the IIS ASP.NET 2.0 extension filters out access to
these "dangerous" directories, which makes it hard for us to deploy
our applications to this server. Is there some way to disable this
filter for the "WebDAV" web site? In IIS manager, neither the generic
"Websites" node nor our "WebDAV" web site show any ISAPI filters in
the corresponding property tab.

Greetings, thanks in advance,
Heinzi

Re: Allow upload of app_* directories through WebDAV

am 01.04.2008 04:35:11 von David Wang

On Mar 31, 8:49=A0am, Heinrich Moser wrote:
> Hi!
>
> We are using WebDAV to publish our ASP.NET applications to an IIS 6.0
> server (W2k3). Everything works fine so far (including uploading aspx
> files, after we discovered that "script source access" needs to be
> activated), except for uploading App_* directories (App_Data,
> App_LocalResources, App_GlobalResources, etc.) used by ASP.NET 2.0
> applications (uploads to "bin" directories work fine, though).
>
> I assume that the IIS ASP.NET 2.0 extension filters out access to
> these "dangerous" directories, which makes it hard for us to deploy
> our applications to this server. Is there some way to disable this
> filter for the "WebDAV" web site? In IIS manager, neither the generic
> "Websites" node nor our "WebDAV" web site show any ISAPI filters in
> the corresponding property tab.
>
> Greetings, thanks in advance,
> =A0 =A0 Heinzi


IIS WebDAV does not have such restrictions, so you are still running
some ISAPI that is implementing this restriction.

Those ISAPI DLLs are either loaded via Global ISAPI Filter, Website
ISAPI Filter, or Wildcard Application Mapping. Make sure they are all
clean/removed for your WebDAV website, and it should work as expected.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Allow upload of app_* directories through WebDAV

am 01.04.2008 04:35:11 von David Wang

On Mar 31, 8:49=A0am, Heinrich Moser wrote:
> Hi!
>
> We are using WebDAV to publish our ASP.NET applications to an IIS 6.0
> server (W2k3). Everything works fine so far (including uploading aspx
> files, after we discovered that "script source access" needs to be
> activated), except for uploading App_* directories (App_Data,
> App_LocalResources, App_GlobalResources, etc.) used by ASP.NET 2.0
> applications (uploads to "bin" directories work fine, though).
>
> I assume that the IIS ASP.NET 2.0 extension filters out access to
> these "dangerous" directories, which makes it hard for us to deploy
> our applications to this server. Is there some way to disable this
> filter for the "WebDAV" web site? In IIS manager, neither the generic
> "Websites" node nor our "WebDAV" web site show any ISAPI filters in
> the corresponding property tab.
>
> Greetings, thanks in advance,
> =A0 =A0 Heinzi


IIS WebDAV does not have such restrictions, so you are still running
some ISAPI that is implementing this restriction.

Those ISAPI DLLs are either loaded via Global ISAPI Filter, Website
ISAPI Filter, or Wildcard Application Mapping. Make sure they are all
clean/removed for your WebDAV website, and it should work as expected.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Allow upload of app_* directories through WebDAV

am 01.04.2008 12:09:04 von Heinrich Moser

David Wang writes:
> On Mar 31, 8:49 am, Heinrich Moser wrote:
>> We are using WebDAV to publish our ASP.NET applications to an IIS 6.0
>> server (W2k3). Everything works fine so far (including uploading aspx
>> files, after we discovered that "script source access" needs to be
>> activated), except for uploading App_* directories (App_Data,
>> App_LocalResources, App_GlobalResources, etc.) used by ASP.NET 2.0
>> applications (uploads to "bin" directories work fine, though).
>>
>> I assume that the IIS ASP.NET 2.0 extension filters out access to
>> these "dangerous" directories, which makes it hard for us to deploy
>> our applications to this server. Is there some way to disable this
>> filter for the "WebDAV" web site? In IIS manager, neither the generic
>> "Websites" node nor our "WebDAV" web site show any ISAPI filters in
>> the corresponding property tab.
>
> IIS WebDAV does not have such restrictions, so you are still running
> some ISAPI that is implementing this restriction.
>
> Those ISAPI DLLs are either loaded via Global ISAPI Filter, Website
> ISAPI Filter, or Wildcard Application Mapping. Make sure they are all
> clean/removed for your WebDAV website, and it should work as expected.

Thanks for your explanation, but I fail to find these filters. This is
what I checked:

1. Global filters: SERVERNAME -> Websites -> Properties -> ISAPI Filters
==> List is empty.

2. Website filters: SERVERNAME -> Websites -> WebDAV (= site name)
-> Properties -> ISAPI Filters
==> List is empty.

3. Global application mappings: SERVERNAME -> Websites -> Properties
-> Home directory -> Configuration -> Mappings
==> Lots of entries, but all of them refer to some file extension,
but "App_LocalResources" does not have a file extension.

4. Local application mappings: Should not apply, since no directories
are configured as applications in the WebDAV site (they are
configured as applications in other sites, of course, but that
should not matter, or should it?).

Apparently, I missed some spot. Any hints?

Greetings,
Heinzi

Re: Allow upload of app_* directories through WebDAV

am 01.04.2008 12:09:04 von Heinrich Moser

David Wang writes:
> On Mar 31, 8:49 am, Heinrich Moser wrote:
>> We are using WebDAV to publish our ASP.NET applications to an IIS 6.0
>> server (W2k3). Everything works fine so far (including uploading aspx
>> files, after we discovered that "script source access" needs to be
>> activated), except for uploading App_* directories (App_Data,
>> App_LocalResources, App_GlobalResources, etc.) used by ASP.NET 2.0
>> applications (uploads to "bin" directories work fine, though).
>>
>> I assume that the IIS ASP.NET 2.0 extension filters out access to
>> these "dangerous" directories, which makes it hard for us to deploy
>> our applications to this server. Is there some way to disable this
>> filter for the "WebDAV" web site? In IIS manager, neither the generic
>> "Websites" node nor our "WebDAV" web site show any ISAPI filters in
>> the corresponding property tab.
>
> IIS WebDAV does not have such restrictions, so you are still running
> some ISAPI that is implementing this restriction.
>
> Those ISAPI DLLs are either loaded via Global ISAPI Filter, Website
> ISAPI Filter, or Wildcard Application Mapping. Make sure they are all
> clean/removed for your WebDAV website, and it should work as expected.

Thanks for your explanation, but I fail to find these filters. This is
what I checked:

1. Global filters: SERVERNAME -> Websites -> Properties -> ISAPI Filters
==> List is empty.

2. Website filters: SERVERNAME -> Websites -> WebDAV (= site name)
-> Properties -> ISAPI Filters
==> List is empty.

3. Global application mappings: SERVERNAME -> Websites -> Properties
-> Home directory -> Configuration -> Mappings
==> Lots of entries, but all of them refer to some file extension,
but "App_LocalResources" does not have a file extension.

4. Local application mappings: Should not apply, since no directories
are configured as applications in the WebDAV site (they are
configured as applications in other sites, of course, but that
should not matter, or should it?).

Apparently, I missed some spot. Any hints?

Greetings,
Heinzi

Re: Allow upload of app_* directories through WebDAV

am 06.04.2008 21:49:40 von Heinrich Moser

Heinrich Moser writes:
> David Wang writes:
>> On Mar 31, 8:49 am, Heinrich Moser wrote:
>>> We are using WebDAV to publish our ASP.NET applications to an IIS 6.0
>>> server (W2k3). Everything works fine so far (including uploading aspx
>>> files, after we discovered that "script source access" needs to be
>>> activated), except for uploading App_* directories (App_Data,
>>> App_LocalResources, App_GlobalResources, etc.) used by ASP.NET 2.0
>>> applications (uploads to "bin" directories work fine, though).
[...]
>>
>> IIS WebDAV does not have such restrictions, so you are still running
>> some ISAPI that is implementing this restriction.
>>
>> Those ISAPI DLLs are either loaded via Global ISAPI Filter, Website
>> ISAPI Filter, or Wildcard Application Mapping. Make sure they are all
>> clean/removed for your WebDAV website, and it should work as expected.
>
> Thanks for your explanation, but I fail to find these filters. This is
> what I checked:
>
> 1. Global filters: SERVERNAME -> Websites -> Properties -> ISAPI Filters
> ==> List is empty.

I was able to solve this problem and would like to share the solution:

First of all, the problem was definitely due to
aspnet_filter.dll. Apparently, this file was loaded as a global ISAPI
filter in IIS but not shown anywhere in IIS admin. Anyway, it was
possible to disable it by

1. Adding it to SERVERNAME -> Websites -> Properties -> ISAPI Filters.
2. Then removing it again from there.

(BTW, is this [ISAPI filters active but not shown] a known problem?)

Afterwards I manually added aspnet_filter.dll in the web site
configuration for every site except the WebDAV site. Now the system
behaves exactly as I want it to: App_* directories are protected when
accessed via "normal" HTTP, but access is allowed through the
password-protected WebDAV site.

This solution is not ideal, since I must remember now to add it
manually to every new site I create, but unfortunately, there's no
"disable this ISAPI filter only for this site" option.

Greetings,
Heinzi

PS: During my research I also discovered that this behaviour of
aspnet_filter.dll could be disabled *globally* by setting a registry key
(HKEY_LOCAL_MACHINE\Software\Microsoft\ASP.NET\StopProtected DirectoryFiltering
-> 1). However, since I do want my web applications to be protected, this
was not a valid option. I just include it here for reference.

Re: Allow upload of app_* directories through WebDAV

am 06.04.2008 21:49:40 von Heinrich Moser

Heinrich Moser writes:
> David Wang writes:
>> On Mar 31, 8:49 am, Heinrich Moser wrote:
>>> We are using WebDAV to publish our ASP.NET applications to an IIS 6.0
>>> server (W2k3). Everything works fine so far (including uploading aspx
>>> files, after we discovered that "script source access" needs to be
>>> activated), except for uploading App_* directories (App_Data,
>>> App_LocalResources, App_GlobalResources, etc.) used by ASP.NET 2.0
>>> applications (uploads to "bin" directories work fine, though).
[...]
>>
>> IIS WebDAV does not have such restrictions, so you are still running
>> some ISAPI that is implementing this restriction.
>>
>> Those ISAPI DLLs are either loaded via Global ISAPI Filter, Website
>> ISAPI Filter, or Wildcard Application Mapping. Make sure they are all
>> clean/removed for your WebDAV website, and it should work as expected.
>
> Thanks for your explanation, but I fail to find these filters. This is
> what I checked:
>
> 1. Global filters: SERVERNAME -> Websites -> Properties -> ISAPI Filters
> ==> List is empty.

I was able to solve this problem and would like to share the solution:

First of all, the problem was definitely due to
aspnet_filter.dll. Apparently, this file was loaded as a global ISAPI
filter in IIS but not shown anywhere in IIS admin. Anyway, it was
possible to disable it by

1. Adding it to SERVERNAME -> Websites -> Properties -> ISAPI Filters.
2. Then removing it again from there.

(BTW, is this [ISAPI filters active but not shown] a known problem?)

Afterwards I manually added aspnet_filter.dll in the web site
configuration for every site except the WebDAV site. Now the system
behaves exactly as I want it to: App_* directories are protected when
accessed via "normal" HTTP, but access is allowed through the
password-protected WebDAV site.

This solution is not ideal, since I must remember now to add it
manually to every new site I create, but unfortunately, there's no
"disable this ISAPI filter only for this site" option.

Greetings,
Heinzi

PS: During my research I also discovered that this behaviour of
aspnet_filter.dll could be disabled *globally* by setting a registry key
(HKEY_LOCAL_MACHINE\Software\Microsoft\ASP.NET\StopProtected DirectoryFiltering
-> 1). However, since I do want my web applications to be protected, this
was not a valid option. I just include it here for reference.