Server.MapPath() Bizarre Issue

Question

Did anyone observed or dealt with the following issue. I have couple web server (Dev, QA, Staging) all running Windows 2003, IIS 6. Recently applied an update which uses the following lines of code:

sLogPath = Server.MapPath("../Templates/" & strFileName)        
set fs = Server.CreateObject("Scripting.FileSystemObject")       
If fs.FileExists(sLogPath) Then

That works fine on all dev systems but as soon as we moved it to QA I am getting an error:

The '..' characters are not allowed in the Path parameter for the MapPath method.
Line number xxx 

Line number is to this line

sLogPath = Server.MapPath("../Templates/" & strFileName)

I tried replacing Server.MapPath("../Templates/") with Server.MapPath("/Templates/") but that gave me the root of IIS service (C:\InetPub\wwwroot) not the root of my sites. If I attempt to do Server.MapPath(strFileName) I am getting once again wrong path to the file because sites are not in IIS root but elsewhere on the drive.

Any ideas how this can be fixed?

Answer 1

The issue is you haven't got Enable parent paths enabled in the ASP application configuration.

Without it you are not permitted to use .. directory traversing in ASP functions.

For more information see Enable Parent Paths Is Disabled by Default in IIS 6.0

---

On a side note:

I tend to avoid the need for Parent Paths simply by configuring websites as separate web site instances in IIS rather than using %SystemDrive%\inetpub\wwwroot which is where the Default Website instance resides. Doing this means that code like Server.MapPath("/") will be valid and point to the root of your site not the Default Web Site instance root.