Understanding the ASP.NET application folders

Question

The application folders in ASP.NET are used for storing various elements critical to running a website. I want to get a handle on understanding these folders in more depth, specifically the folder accessibility. According to the article on ASP.NET Web Site Layout:

The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.

Any browser request to these folders results in a "404 - Page Not Found."

So what prevents folders like App_Code, App_Data, App_WebReferences, bin, etc. from being served to users? Is it an IIS hard coded "don't serve this folder?" Is it a permissions configuration? And is there anyway to knowingly/unknowingly circumvent this?

Answer 1

The .net framework itself intercepts requests to these folders (along with a bunch of other file types that you should be allowed to browse) and returns a 404 to IIS, which then gets passed back to the browser as "404 - Page Not Found".

So it doesn't happen at the permissions level, or even the IIS level. It's inside the framework -- probably in one of the HttpHandlers in the global web.config.

If you look in there, you can see a ton of file extensions that are explicitly configured to not be served. Presumably you could tweak the settings and cause it to serve, say, web.config files as xml (which is different than the usual behavior of saying that this file type is not served).

It's worth noting that I don't specifically see any of the special folders (app_code, etc) mentioned in the global web.config file. Maybe it's handled inside other HttpHandlers -- for instance, the handler for .aspx might contain some code that prevents serving of .aspx files located in special folders, etc.

Answer 2

In IIS7 on Windows Server 2008, ASP.NET is more tightly integrated into the entire processing pipeline, so I would imagine that in IIS7, it is very easy for ASP.NET to say "No, I'm not going to touch that."

In IIS6, IIS itself has very little direct knowledge of IIS, instead, it's all controlled through the ISAPI configuration.

In the IIS6 IIS Manager, right click a website, get Properties, go to the Home Directory tab, and then click Configuration in the lower right. This shows the ISAPI application extensions and what is done for each one.

For all the ASP.NET extensions (aspx, ascx, config, browser, a ton of others) it specifies handling to be done by C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll

The ASP.NET system then has registered handlers for each of these file types defined in the global machine.config and/or web.config files at C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG

For instance, in the global web.config file, under httpHandlers element:

<add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>

So it is not just these special folders, but many types of files, but many types of reserved files that are disallowed from browsing.

Answer 3

On my IIS7.5 config, found at C:\Windows\System32\inetsrv\config\applicationHost.config there is this section:

<hiddenSegments applyToWebDAV="true">
    <add segment="web.config" />
    <add segment="bin" />
    <add segment="App_code" />
    <add segment="App_GlobalResources" />
    <add segment="App_LocalResources" />
    <add segment="App_WebReferences" />
    <add segment="App_Data" />
    <add segment="App_Browsers" />
</hiddenSegments>

See also IIS Documentation.