is there anyway to do a #include with a file listed as an absolute path?
i am trying to include files from other websites (outsite the root of the sight that wants to include it)
any other suggestions?
A:
<!--#include file="c:\boot.ini"-->
There is a setting in IIS for allowing includes to parent paths, check that if the above doesn't work.
svinto
2009-07-22 08:12:40
IIRC unchecking that setting is potentially dangerous, because it would allow attackers to http://yoursite.com/../../windows/system32
Benjol
2009-07-22 08:16:14
@Benjol: Yes, but the attacker would have to change a file on your server to do that, and if they can do that, they could just as well read the file in code instead of including it.
svinto
2009-07-22 10:33:24
The ability to do that should be dependent on the actual user account that your web server is running applications as. Personally I use a limited account that has its permissions limited to the directories containing websites so even if I need include parent paths on I'm protected
RobV
2009-07-24 10:41:53
+1
A:
You can only include files from your server, these may technically be outside your website if the Allow Parent Paths option is enabled or if you can use a virtual include to point to another virtual directory on your server.
There is no way to include files from websites outside of your server or sites on your server that your application does not have permissions to access.
RobV
2009-07-22 08:16:08
A:
Another way to go is to create a directory below the root folder of your website, then making that folder a symbolic link to the folder where the file you want to include is located. Now there is no way to create symbolic links in Windows out of the box, you need Microsoft Sysinternals Junction for that.
svinto
2009-07-22 10:38:38
i am using a hosting service so i probably dont have this ability but good thought
ooo
2009-07-22 10:39:58
Hm, if you're using a hosting service, why would you want to include a file outside your website? Note that it is not possible to include a file from another webserver, no matter the setting on the server. (If that is the case, you need to fetch the file and ouput it's contents, but that's another question, and differs between asp and asp.net.)
svinto
2009-07-22 10:50:40
A:
You can do it, using XMLHTTP and the VBscript Execute statement. I wouldn't recommend it though as it creates substantial security risks.
A few links to get you started:
http://www.4guysfromrolla.com/webtech/042602-1.shtml
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/vsstmexecute.asp
http://www.4guysfromrolla.com/webtech/110100-1.shtml
It is a very high security risk, because someone can inject code into your app. Take your precautions.
One tip: the page you need to load from another server needs to have an extension different from .asp because if not the other server is going to send it already executed. It seems clear but I forgot it the first time!
backslash17
2009-07-24 15:50:34