I have a asp.net web site with it we have admin area with login page for admin only and all site is allowed for all - i need to ask how to define the right security configuration for it as i get this error
Cannot use a leading .. to exit above the top directory. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Web.HttpException: Cannot use a leading .. to exit above the top directory. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [HttpException (0x80004005): Cannot use a leading .. to exit above the top directory.] System.Web.Util.UrlPath.ReduceVirtualPath(String path) +8862087 System.Web.Util.UrlPath.Reduce(String path) +52 System.Web.Util.UrlPath.Combine(String appPath, String basepath, String relative) +214 System.Web.UI.Control.ResolveClientUrl(String relativeUrl) +180 System.Web.UI.WebControls.Image.AddAttributesToRender(HtmlTextWriter writer) +68 System.Web.UI.WebControls.WebControl.RenderBeginTag(HtmlTextWriter writer) +20 System.Web.UI.WebControls.WebControl.Render(HtmlTextWriter writer) +20 System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27 System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99 System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25 System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +134 System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +19 System.Web.UI.HtmlControls.HtmlForm.RenderChildren(HtmlTextWriter writer) +163 System.Web.UI.HtmlControls.HtmlContainerControl.Render(HtmlTextWriter writer) +32 System.Web.UI.HtmlControls.HtmlForm.Render(HtmlTextWriter output) +51 System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27 System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99 System.Web.UI.HtmlControls.HtmlForm.RenderControl(HtmlTextWriter writer) +40 System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +134 System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +19 System.Web.UI.Control.Render(HtmlTextWriter writer) +10 System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27 System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99 System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25 System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +134 System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +19 System.Web.UI.Page.Render(HtmlTextWriter writer) +29 System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27 System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99 System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1266
my configuration file :
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" protection="All" loginUrl="Admin/LoginPage.aspx" path="/" enableCrossAppRedirects="true">
</forms>
</authentication>
<authorization>
<deny users="*" />
</authorization>
This question is related to
asp.net
.net
security
url
configuration
I had such a problem and the answer, although frustrating to find, was solved by doing a search on the offending page for the ".." in the error message. I am using Visual Studio Express and the solution was changing "../../Images/" to "~/Images/" . Hopefully this will help someone.
I had the problem occur on my system in a very strange way. In my system customers create products that sit inside a directory structure of product categories. So ProductA might sit in the folder CategoryInner inside the folder CategoryOuter. I had just added a feature where my URL would show the category nesting on the URL thusly:
http://www.somedomain.com/product/CategoryOuter/CategoryInner/ProductA.aspx
Obviously the nesting on the URL was just for SEO purposes (and to show the user what category their product was sitting in. But when I used ResolveClientUrl on some URLs that used to work, it must've been confused by the extra fake pathing. The error message was popping up in the debugger on some line that was never the problem so it took me quite some time to figure out what was going on. I wnet through and removed all of my ResolveClientUrl calls that acted on anything that didn't start with a ~ and made the rest of the paths absolute paths.
You can use ~/img/myImage.png instead of ../img/myImage.png to avoid this error in ASP.NET pages.
I know these answers are enough, but I'll show the place that's throwing an error.
If you have the structure like the below:
./Src/Master.cs - (Master Form Page)./Invoice/SubFolder/InvoiceEdit.aspx - (Sub Form Page)If you enter the sub form page, you'll get an error when you use similar like that you've used in master page: Page.ResolveClientUrl("~/Style/img/logo_small.png").
Now ResolveClientUrl is situated in the master page and trying to serve the root folder. But since you are in the subfolder, the function returns something like ../../Style/img/logo_small.png. This is the wrong way.
Because when you're up two levels, you are not in the right place; you need to go up only one level, so something like ../.
In my case it turned out to be commented out HTML in a master page!
Who knew that commented out HTML such as this were actually interpreted by ASP.NET!
<!--
<link rel="icon" href="../../favicon.ico">
-->
It means that one of the paths has a ".." at the beginning of it that would result in exiting the web site's root folder hierarchy. You need to google "asp.net relative paths" or something like that to help you with your problem.
BTW, a hint to where the problem is is included in the exception page that you saw. It will actually tell you what file it found the problem in.
To head off future occurences of this exception, do a search in the entire solution for this string: "../". If you find any of those in files in the root path of your web site, address them.
I moved my project from "standard" hosting to Azure and get the same error when I try to open page with url-rewrite. I.e. rule is :
<add key="/iPod-eBook-Creator.html" value="/Product/ProductDetail?PRODUCT_UID=IPOD_EBOOK_CREATOR" />
try to open my_site/iPod-eBook-Creator.html and get this error (page my_site/Product/ProductDetail?PRODUCT_UID=IPOD_EBOOK_CREATOR can be opened without any problem).
I checked the fully site - never used .. to "level up"
You have an image or a favicon link of the style ="../" somewhere, that if the "../" were valid, would go beyond the top of the site, like this:
Image:
http://example.com/Images/test.jpg
Page
http://example.com/Pages/test.aspx
Valid on that page: ../Images/test.jpg
Would throw an error: ../../Images/test.jpg
I got same problem... and I did it.
My code before:
<link rel="stylesheet" href="../css/style.default.css" type="text/css" />
And the problem solved after I changed my code into this:
<link rel="stylesheet" href="css/style.default.css" type="text/css" />
So I think "href=../" is not allowed, because I don't have problem when I use "../" in "src=../"
Source: Stackoverflow.com