views:

571

answers:

1

I'm using ASP.NET MVC with IIS 7.0. I've got 404 errors hooked up fine through my Application_Error override.

In addition to "Controllers", "Models", "Helpers" etc. I have a directory called 'Files' that I use to store user-uploaded files. When I go to http://www.mysite.com/files, instead of getting a 'Not Found' I get a default IIS 403 page that gives way too much information (e.g. exact directory structure of the server):

HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.

If I try to access http://www.mysite.com/controllers or http://www.mysite.com/helpers, which are both existing directories with code files, I get a 404 page, which is what I want. I don't want the user to know anything about my directory structure.

Why is MVC not handling the /files directory?

+2  A: 

I figured this one out. The reason the Views directory was returning a proper '404' page but the Files directory was returning a too-much-information ASP.NET 'no permissions' page: there is a web.config file in the Views directory that prohibits showing files. It has the snippets below to stop MVC from serving the directory.

I just added a similar web.config file to my Files directory, and MVC now acts like the directory doesn't exist, which is exactly what I want.

    <httpHandlers>
      <add path="*" verb="*"
          type="System.Web.HttpNotFoundHandler"/>
    </httpHandlers>

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <handlers>
      <remove name="BlockViewHandler"/>
      <add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler"/>
    </handlers>
  </system.webServer>
Freewalker
I second Charlino's comment on your original question. If these files should never be served as a direct response to an HTTP request then it's safer to just store them outside the web root. I usually have a folder structure like "app\web\" for the web site and "app\web_data\" for files like this.
Seth Petry-Johnson