-
Oct 21st, 2021, 10:38 AM
#1
Thread Starter
New Member
Error -2147467259 (0x80004005) with dots in query string
I have some VBScript that passes directory names via a querystring in the browser. This works great except if the folder has dots in the name. Specifically, this folder has three dots in the middle of the folder name. I imagine IIS or ASP has some protections against directory traversal attacks which are preventing me from passing this folder in the URL. I tried HTML encoding the dots but the result is the same, error -2147467259 (0x80004005). Besides renaming the directory in question, anyone know how best to handle this situation? Thanks!
-
Oct 21st, 2021, 12:52 PM
#2
Re: Error -2147467259 (0x80004005) with dots in query string
I don't see how "period" characters are not allowed - they do not seem to have a valid "escape" syntax.
Show some code please.
-
Oct 21st, 2021, 12:59 PM
#3
Thread Starter
New Member
Re: Error -2147467259 (0x80004005) with dots in query string
Well, the directory being passed has three dots in the name so I think ASP or IIS is stopping it because it suspects a directory traversal attack. With ".." meaning previous directory after all. I assume it just does the same for "..." as well.
Code is pretty generic.
Just doing a GetFolder on a Server.mappath with the path being supplied via a query string:
Code:
strListDirPath = Request.QueryString("listdir")
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(Server.MapPath(strListDirPath))
There error occurs on GetFolder.
The folder name is "Example...Example123"
-
Oct 21st, 2021, 01:54 PM
#4
Re: Error -2147467259 (0x80004005) with dots in query string
Does "mappath" actually need an existing folder to work, or can you just pass "Example" and then when you get the result back do a REPLACE on "Example" to make it "Example...Example123"?
-
Oct 21st, 2021, 02:00 PM
#5
Thread Starter
New Member
Re: Error -2147467259 (0x80004005) with dots in query string
I don't understand.
Can you show an example?
This is from a directory listings program so I'm not sure how I would accomplish that.
-
Oct 22nd, 2021, 05:47 AM
#6
Re: Error -2147467259 (0x80004005) with dots in query string
Something like this maybe?
Code:
dim strCleanPath as String = strListDirPath.Replace(".","_")
dim strCleanMap as String = Server.MapPath(strCleanPath)
strListDirPath = strCleanMap.Replace("_",".")
Set objFolder = objFSO.GetFolder(strListDirPath)
I replaced the . character with an _ (underscore) character. You could replace it with anything as long as it's valid and not already in the path.
-
Oct 22nd, 2021, 07:44 AM
#7
Thread Starter
New Member
Re: Error -2147467259 (0x80004005) with dots in query string
Ah I see, thank you for the insight.
Your sytax is a little off.
You have to use the replace function like this:
Code:
Replace(strListDirPath, ".","_")
However, it doesn't work as it breaks virtual paths and that's where all these files are stored behind.
When I try your suggestions, it tries to use an absolute path that doesn't exist because there is a virtual binding for that path in IIS.
-
Oct 22nd, 2021, 07:57 AM
#8
Re: Error -2147467259 (0x80004005) with dots in query string
I was giving you .Net syntax - sorry. I spend most of my time in JavaScript lately, so lucky get any identifiable syntax out, lol!
So you are saying that the REPLACE turns the folders into ones that DO NOT EXIST, thus breaking things.
Not that the REPLACE broke other parts of the folder string making the folder syntax invalid?
-
Oct 22nd, 2021, 08:14 AM
#9
Thread Starter
New Member
Re: Error -2147467259 (0x80004005) with dots in query string
No problem.
I appreciate the direction. It's easy enough to read your code and figure out what you're doing.
Correct, it turned my virtual directories (/Folder/Folder2/File.txt) into absolute ones (X:\IIS\Website\Folder\Folder2\File.txt).
Although, I don't understand why at the moment.
For now, I found the setting that stops ".." in the server.mappath function: https://docs.microsoft.com/en-us/iis...led-by-default
So I have set that to true on the website and it's working for now.
Not ideal but it works I suppose.
-
Oct 22nd, 2021, 08:18 AM
#10
Re: Error -2147467259 (0x80004005) with dots in query string
Originally Posted by DJX995
Correct, it turned my virtual directories (/Folder/Folder2/File.txt) into absolute ones (X:\IIS\Website\Folder\Folder2\File.txt).
Although, I don't understand why at the moment.
MapPath does just that though - doesn't it? It turns a virtual folder into a mapped path on the actual server so you can then access files.
-
Oct 22nd, 2021, 08:25 AM
#11
Thread Starter
New Member
Re: Error -2147467259 (0x80004005) with dots in query string
Yeah, I'm trying to remember.
I haven't touched this code in years so I'm trying to figure out how I did this.
Here's what M$ has to say about that:
The MapPath method maps the specified relative or virtual path to the corresponding physical directory on the server.
Path: Specifies the relative or virtual path to map to a physical directory. If Path starts with either a forward (/) or backward slash (\), the MapPath method returns a path as if Path were a full, virtual path. If Path doesn't start with a slash, the MapPath method returns a path relative to the directory of the .asp file being processed.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|