Invalid file name for monitoring

[Guest]

I'm undergoing an audit where my web application is supposed to handle
(gracefully) a bunch of garbage being throwns at it.

When I use the following url I get an error;

http://localhost/myapplication/~Home/Page.aspx

where the offending character is the tilde.

[HttpException (0x80070057): Invalid file name for monitoring:
'C:\projects\myapplication\~Home'. File names for monitoring must have
absolute paths, and no wildcards.]
System.Web.DirectoryMonitor.AddFileMonitor(String file) +429
System.Web.DirectoryMonitor.StartMonitoringFile(String file,
FileChangeEventHandler callback, String alias) +76
System.Web.FileChangesMonitor.StartMonitoringPath(String alias,
FileChangeEventHandler callback) +495
System.Web.Caching.CacheDependency.Init(Boolean isPublic, Boolean
isSensitive, String[] filenamesArg, String[] cachekeysArg, CacheDependency
dependency, DateTime utcStart) +1535
System.Web.Caching.CacheDependency..ctor(Boolean isSensitive, String[]
filenames, DateTime utcStart) +50

System.Web.Configuration.HttpConfigurationSystem.GetCacheDependencies(Hashtable cachedeps, DateTime utcStart) +151
System.Web.Configuration.HttpConfigurationSystem.ComposeConfig(String
reqPath, IHttpMapPath configmap) +760
System.Web.HttpContext.GetCompleteConfigRecord(String reqpath,
IHttpMapPath configmap) +434
System.Web.HttpContext.GetCompleteConfig() +49
System.Web.HttpContext.GetConfig(String name) +195
System.Web.CustomErrors.GetSettings(HttpContext context, Boolean
canThrow) +20
System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow)
+40
System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext
context, Exception e) +480

This is happening before the Application's BeginRequest fires, so I don't
get a chance to handle it.

Of course setting customErrors mode="On" prevents the detailed exception
from being displayed, which is very good. However in this case the
defaultRedirect doesn't seem to be working.

Has anyone else seen this? I'm not ruling out Monday morning brain
dysfunction.

 

[Lucas Tam]

When I use the following url I get an error;

http://localhost/myapplication/~Home/Page.aspx

where the offending character is the tilde.

[HttpException (0x80070057): Invalid file name for monitoring:
'C:\projects\myapplication\~Home'. File names for monitoring must have
absolute paths, and no wildcards.]

The Tilde means "from the root of the application directory" - do you have
any custom http handlers or something in the global.asax file doing a file
system look up?

 

[Guest]

When I use the following url I get an error;

http://localhost/myapplication/~Home/Page.aspx

where the offending character is the tilde.

[HttpException (0x80070057): Invalid file name for monitoring:
'C:\projects\myapplication\~Home'. File names for monitoring must have
absolute paths, and no wildcards.]

The Tilde means "from the root of the application directory" - do you have
any custom http handlers or something in the global.asax file doing a file
system look up?

I do have an HttpModule, but the error happens *before* the module's
BeginRequest event is fired.

I just created a a web application using File > New > Project and the
minimal web application gives the same results when I type;

http://localhost/WebApplication1/~WebForm1.aspx

 

[Juan T. Llibre]

Try using

~/page.aspx

instead of

~Home/page.aspx

~/ stands for the *root* of the application.

When I use the following url I get an error;

http://localhost/myapplication/~Home/Page.aspx

where the offending character is the tilde.

[HttpException (0x80070057): Invalid file name for monitoring:
'C:\projects\myapplication\~Home'. File names for monitoring must have
absolute paths, and no wildcards.]

The Tilde means "from the root of the application directory" - do you have
any custom http handlers or something in the global.asax file doing a file
system look up?

I do have an HttpModule, but the error happens *before* the module's
BeginRequest event is fired.

I just created a a web application using File > New > Project and the
minimal web application gives the same results when I type;

http://localhost/WebApplication1/~WebForm1.aspx

 

[Guest]

I can't prevent the person doing the audit from doing that. He's putting in
all kinds of garbage to see if he can get the application to reveal something
that it shouldn't.

Try using

~/page.aspx

instead of

~Home/page.aspx

~/ stands for the *root* of the application.

in

When I use the following url I get an error;

http://localhost/myapplication/~Home/Page.aspx

where the offending character is the tilde.

[HttpException (0x80070057): Invalid file name for monitoring:
'C:\projects\myapplication\~Home'. File names for monitoring must have
absolute paths, and no wildcards.]

The Tilde means "from the root of the application directory" - do you have
any custom http handlers or something in the global.asax file doing a file
system look up?

I do have an HttpModule, but the error happens *before* the module's
BeginRequest event is fired.

I just created a a web application using File > New > Project and the
minimal web application gives the same results when I type;

http://localhost/WebApplication1/~WebForm1.aspx

 

[Guest]

Here is my WebForm1 codebehind;
=======================

public class WebForm1 : System.Web.UI.Page
{
private void Page_Load(object sender, System.EventArgs e)
{
throw new ApplicationException( "FOO" );
}

#region Web Form Designer generated code
// snip
#endregion
}

A piece of my web.config;
=================

<customErrors
mode="On" defaultRedirect="~/WebForm2.aspx"
/>

and my WebForm2.aspx;
================

<%@ Page language="c#" Codebehind="WebForm2.aspx.cs" AutoEventWireup="false"
Inherits="WebApplication1.WebForm2" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>WebForm2</title>
<meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema"
content="http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<body MS_POSITIONING="GridLayout">
<form id="Form1" method="post" runat="server">
<asp:Label id="Label1" style="Z-INDEX: 101; LEFT: 392px; POSITION:
absolute; TOP: 208px" runat="server">ERROR</asp:Label>
</form>
</body>
</HTML>


When I navigate to http://localhost/WebApplication1/WebForm1.aspx I get the
expected error page.

When I enter http://localhost/WebApplication1/~WebForm1.aspx I do not.

 

[Guest]

I can't control what the auditor types. He's being intentionally malicious.

Try using

~/page.aspx

instead of

~Home/page.aspx

~/ stands for the *root* of the application.

in

When I use the following url I get an error;

http://localhost/myapplication/~Home/Page.aspx

where the offending character is the tilde.

[HttpException (0x80070057): Invalid file name for monitoring:
'C:\projects\myapplication\~Home'. File names for monitoring must have
absolute paths, and no wildcards.]

The Tilde means "from the root of the application directory" - do you have
any custom http handlers or something in the global.asax file doing a file
system look up?

I do have an HttpModule, but the error happens *before* the module's
BeginRequest event is fired.

I just created a a web application using File > New > Project and the
minimal web application gives the same results when I type;

http://localhost/WebApplication1/~WebForm1.aspx

 

[Juan T. Llibre]

re:

When I enter
http://localhost/WebApplication1/~WebForm1.aspx I do not.

As mentioned, that is not valid syntax.
The tilde *musr* be followed by a slash.

You have it right in:

<customErrors mode="On" defaultRedirect="~/WebForm2.aspx"

Why do you insist on trying to use invalid syntax ?

 

[Juan T. Llibre]

If the auditor can't type a valid URL,
he/she shouldn't be the auditor.


--

I can't control what the auditor types. He's being intentionally malicious.

Try using

~/page.aspx

instead of

~Home/page.aspx

~/ stands for the *root* of the application.

:

in

When I use the following url I get an error;

http://localhost/myapplication/~Home/Page.aspx

where the offending character is the tilde.

[HttpException (0x80070057): Invalid file name for monitoring:
'C:\projects\myapplication\~Home'. File names for monitoring must have
absolute paths, and no wildcards.]

The Tilde means "from the root of the application directory" - do you have
any custom http handlers or something in the global.asax file doing a file
system look up?


I do have an HttpModule, but the error happens *before* the module's
BeginRequest event is fired.

I just created a a web application using File > New > Project and the
minimal web application gives the same results when I type;

http://localhost/WebApplication1/~WebForm1.aspx

 

[Guest]

The point of the auditor's exercise is NOT to enter valid information. He
WANTS to produce errors to see if they're handled correctly.

For instance, if I accidentally set customErrors mode="Off" the user would
see a detailed exception which is, from the standpoint of security, a bad
thing.

My application handles all exceptions gracefully. I log the contents of the
request and display a generic error page.

However when this error occurs, my application is not even aware that it
happened.

Whether the user is being stupid or malicious, I want to know about it.

 

[Lucas Tam]

If the auditor can't type a valid URL,
he/she shouldn't be the auditor.

ummm... the auditor found an unhandled exception - I think the auditor is
doing his/her job!

 

[Juan T. Llibre]

Yup.

I thought a "standard" ( accounting ) auditor was referenced.
If it's a software auditor, yes, you're right.