Review code for the use of MapPath. MapPath should be used to map the virtual path in the requested URL to a physical path on the server to ensure that cross-application mapping is not allowed.
The application should not contain code similar to the following example.
string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath);
Instead, the application should contain code similar to the following.
try
{
string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath, false);
}
catch (HttpException)
{
// Cross application mapping attempted.
}
No comments:
Post a Comment