[Mono-aspnet-list] unintentional App_Data external access Apache

japsai japsai at gmail.com
Thu Feb 17 14:50:14 EST 2011

Ok, I think I figured it out. Mono seems to bypass apache <Directory>
containers below the main mono <Location>.

I was able to restrict access with 

<Location "/myapp/App_Data">
   Deny from all

But not with similar things in a <Directory> container. Note that the apache
documentation warns against using Location containers to restrict filesystem

It might even be wise to put this for all "App_*" folders in the
Configuration tool, since users coming from windows might expect that access
to these folders is restricted by default, as it says in the ASP.NET
documentation, right?

It might also be to some mistake in my apache configuration, as I'm not
exactly a crack at that stuff.

japsai wrote:
> Hi All,
> I deployed a simple web project with ASP.NET MVC on a server running
> Ubuntu with Apache. 
> I used the Apache Mono Configuration tool, for an "Application"/ virtual
> directory: http://go-mono.com/config-mod-mono/.
> However, surfing to mydomain.com/myapp/App_Data/mydatabase.db downloads my
> database? 
> www-data (the apache user) has read/write permissions on App_Data, which i
> think is necessary..
> How do I configure this so only the typical static files (i.e. in
> /Content) can be downloaded?
> Thanks for any help,
> Jasper

View this message in context: http://mono.1490590.n4.nabble.com/unintentional-App-Data-external-access-Apache-tp3311287p3311495.html
Sent from the Mono - ASP.NET mailing list archive at Nabble.com.

More information about the Mono-aspnet-list mailing list