[thelist] Web server settings question

[Ken Schaefer]

I would argue that the "correct" way to do this in IIS is to remove the IIS
"read" permission for the file or folder in question (via the IIS Manager)

As an added security measure, certain file extensions are mapped to the
Forbidden File Handler in a default machine.config or web.config file that
ASP.NET uses, but as you say, that requires changing the file extension
(basically, it's a hack) to bring the file under the aegis of the .NET
framework.

Cheers
Ken

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On
: Behalf Of Mark Marlow
: Sent: Friday, 11 February 2005 7:20 AM
: To: thelist at lists.evolt.org
: Subject: RE: [thelist] Web server settings question
: 
: One cheapo way to accomplish this is to name the file with an extension
that
: the server will not handle properly.  On IIS with ASP.Net installed, if the
: file extension is ".cs", the server will not return this file.
: 
: 
: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
: [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Brooking, John
: Sent: Thursday, February 10, 2005 3:00 PM
: To: thelist at lists.evolt.org
: Subject: [thelist] Web server settings question
: 
: Hello, all,
: 
:    I just modified my contact email script ([1], but I haven't posted the
: new version there yet, maybe tomorrow) for a friend, to write values out to
: a CSV data file as well as sending the email containing them. The CSV file
: is written to the /cgi-bin directory, same place as the script resides. A
: big problem, which I hadn't anticipated, is that in his domain, I (and
: anyone else) can type the full URL to the data file (such as
: http://www.thedomainname.com/cgi-bin/contacts.csv) directly into the
address
: box, and it will send the whole file to the client! I didn't expect this,
: and the domains that I have don't allow this. (I copied the file to them,
: and typed the address, and got an Internal Server Error.
: 
:    So I'm thinking that there must be some switch that allows or prohibits
: non-executable files in executable directories being sent to the client.
I'm
: not sure what the server is, but the provider is www.hypermart.net. Can
: someone tell me if there is such a setting in any or all of the major
: servers? If you happen to know what server this provider is running, that
: would be even better! Thanks!
: 
: [1] http:/www.pobox.com/~JohnBrook/codelib/