Solved

ASP File Upload FileSystemObject Permission Denied

Posted on 2009-07-03
4
2,488 Views
Last Modified: 2012-05-07
I cannot seem to wrap my head around this so I need some help.

Ultimately, I need to upload a file with ASP to a remote file store server (all within my corporate network - just a different server from the web server).

First, I am using FreeASPUpload to do the upload - found on the web for free and shown below.

Second, I have a virtual directory set up on IIS pointing to the remote file share. The anonymous permissions are configured for a domain account that has Read/Write/Modify access to the remote file server.

I have the upload script working perfectly when uploading to the web server. When I tried changing it to the virtual directory I kept getting Permission Denied and I could not figure out why. After some reading about the FreeASPUpload script I found out that it cannot upload to a virtual directory, for whatever reason. They blame it on the ADODB.Stream procedure.

So I am trying to create a work-a-round. What I did was upload the file to the local web server - which works fine - and then I am using FileSystemObject to copy the file to the virtual directory and delete it from the web server. In essence I am using the web server as a transfer point.

If I just take the FileSystemObject code attached and run it independently as its own script, in its own web browser window, the file gets copied to the virtual directory and deleted from the web server just fine. However, if I try to run the script as part of the FreeASPUpload procedure or even from within the same browser window I get "Permission Denied".

So I was thinking that for some reason the file upload was doing something to the permissions on my session so the IIS server no longer knew who I was (even though it is suppose to be using the anonymous user account specified) which doesn't make any sense. So I tried running the FreeASPUpload script, and then using JavaScript to popup a new browser window to run the FileSystemObject script and then close the browser window. I still get Permission Denied in the popup page. But if I take the URL from the popup page and manually open a new browser window, paste the URL and hit enter the code runs fine. I even tried delaying the opening of the popup page thinking the upload might be taking a second that that didn't help.

I cannot figure this out and it is driving me nuts. Any ideas?
/// FILESYSTEMOBJECT CODE ///
 

<%

Dim uploadsDirRemote, uploadsDirLocal, filename

uploadsDirLocal = Server.MapPath("\") & "\Public\doc_transfer\"

If request.querystring("interface") = "Event" Then

uploadsDirRemote = Server.MapPath("/Remote/public_files/") & "\DeptStorage\Files\" & request.querystring("id") & "\"

End If

filename = request.querystring("filename")
 

response.write uploadsDirRemote
 

    '### CREATE REMOTE STORAGE FOLDER ###

    Set fs = Server.CreateObject("Scripting.FileSystemObject")

    If fs.FolderExists(uploadsDirRemote) = true then

    'Folder already exists, do not create folder

    Else

    fs.createfolder(uploadsDirRemote) 

    End If

    '### TRANSFER TEMP FILE TO REMOTE STORAGE ###

    Set f = fs.GetFile(uploadsDirLocal & filename)

    f.Copy uploadsDirRemote & "\" & filename,true

    Set f = Nothing

    '### DELETE TEMP FILE ###

    fs.CreateTextFile uploadsDirLocal & filename,True

    If fs.FileExists(uploadsDirLocal & filename) then

    fs.DeleteFile(uploadsDirLocal & filename)

    End If

    Set fs = Nothing

Response.Write("<SCRIPT>window.close()</SCRIPT>")

%>
 
 

/// FREEASPUPLOAD CODE ///
 

<%@ Language=VBScript %>

<% 

option explicit 

Response.Expires = -1

Server.ScriptTimeout = 600

%>

<!-- #include file="..\database_connect\mssql_connect.asp" -->
 

<%

Class FreeASPUpload

	Public UploadedFiles

	Public FormElements
 

	Private VarArrayBinRequest

	Private StreamRequest

	Private uploadedYet
 

	Private Sub Class_Initialize()

		Set UploadedFiles = Server.CreateObject("Scripting.Dictionary")

		Set FormElements = Server.CreateObject("Scripting.Dictionary")

		Set StreamRequest = Server.CreateObject("ADODB.Stream")

		StreamRequest.Type = 1 'adTypeBinary

		StreamRequest.Open

		uploadedYet = false

	End Sub

	

	Private Sub Class_Terminate()

		If IsObject(UploadedFiles) Then

			UploadedFiles.RemoveAll()

			Set UploadedFiles = Nothing

		End If

		If IsObject(FormElements) Then

			FormElements.RemoveAll()

			Set FormElements = Nothing

		End If

		StreamRequest.Close

		Set StreamRequest = Nothing

	End Sub
 

	Public Property Get Form(sIndex)

		Form = ""

		If FormElements.Exists(LCase(sIndex)) Then Form = FormElements.Item(LCase(sIndex))

	End Property
 

	Public Property Get Files()

		Files = UploadedFiles.Items

	End Property
 

	'Calls Upload to extract the data from the binary request and then saves the uploaded files
 

' ///// START OF CUSTOM CODE /////
 

	Public Function FilesSave(path, linkid, interface)

		Dim streamFile, fileItem, SQL, record_check, rs, total, rs1, SQL1, doctitle
 

		doctitle = Request.QueryString("title")
 

		if Right(path, 1) <> "\" then path = path & "\"
 

		if not uploadedYet then Upload
 

		For Each fileItem In UploadedFiles.Items

			Set streamFile = Server.CreateObject("ADODB.Stream")

			streamFile.Type = 1

			streamFile.Open

			StreamRequest.Position=fileItem.Start

			StreamRequest.CopyTo streamFile, fileItem.Length

			streamFile.SaveToFile path & fileItem.FileName, 2

			streamFile.close

			Set streamFile = Nothing

			Response.Write "<SCRIPT type='text/javascript'>self.setTimeout('window.open(\'../Modules/upload_sub.asp?id=" & linkid & "&interface=" & interface & "&filename=" & fileItem.FileName & "&title=" & doctitle & "&size=" & fileItem.Length & "\');$(\'#uploading\').hide();$(\'#fileresults\').show();', 10000)</SCRIPT>"

'Response.Redirect "../Modules/upload_sub.asp?id=" & linkid & "&interface=" & interface & "&filename=" & fileItem.FileName & "&title=" & doctitle & "&size=" & fileItem.Length

			response.write "<span id=fileresults><br><B>File uploaded successfully!</B><br><br><br><table><tr><td><u>File Details</u><br>"

			response.write "File Title: " & doctitle & "<br>File Name: " & fileItem.FileName & " <br>File Size: " & fileItem.Length & " Bytes</td></tr></table></span>"

		 Next

	End Function
 

' ///// END OF CUSTOM CODE /////
 

	Public Function SaveBinRequest(path) ' For debugging purposes

		StreamRequest.SaveToFile path & "\debugStream.bin", 2

	End Function
 

	Public Sub DumpData() 'only works if files are plain text

		Dim i, aKeys, f

		response.write "Form Items:<br>"

		aKeys = FormElements.Keys

		For i = 0 To FormElements.Count -1 ' Iterate the array

			response.write aKeys(i) & " = " & FormElements.Item(aKeys(i)) & "<BR>"

		Next

		response.write "Uploaded Files:<br>"

		For Each f In UploadedFiles.Items

			response.write "Name: " & f.FileName & "<br>"

			response.write "Type: " & f.ContentType & "<br>"

			response.write "Start: " & f.Start & "<br>"

			response.write "Size: " & f.Length & "<br>"

		 Next

   	End Sub
 

	Private Sub Upload()

		Dim nCurPos, nDataBoundPos, nLastSepPos

		Dim nPosFile, nPosBound

		Dim sFieldName, osPathSep, auxStr
 

		'RFC1867 Tokens

		Dim vDataSep

		Dim tNewLine, tDoubleQuotes, tTerm, tFilename, tName, tContentDisp, tContentType

		tNewLine = Byte2String(Chr(13))

		tDoubleQuotes = Byte2String(Chr(34))

		tTerm = Byte2String("--")

		tFilename = Byte2String("filename=""")

		tName = Byte2String("name=""")

		tContentDisp = Byte2String("Content-Disposition")

		tContentType = Byte2String("Content-Type:")
 

		uploadedYet = true
 

		on error resume next

		VarArrayBinRequest = Request.BinaryRead(Request.TotalBytes)

		if Err.Number <> 0 then 

			response.write "<br><br><B>System reported this error:</B><p>"

			response.write Err.Description & "<p>"

			response.write "The most likely cause for this error is the incorrect setup of AspMaxRequestEntityAllowed in IIS MetaBase. Please see instructions in the <A HREF='http://www.freeaspupload.net/freeaspupload/requirements.asp'>requirements page of freeaspupload.net</A>.<p>"

			Exit Sub

		end if

		on error goto 0 'reset error handling
 

		nCurPos = FindToken(tNewLine,1) 'Note: nCurPos is 1-based (and so is InstrB, MidB, etc)
 

		If nCurPos <= 1  Then Exit Sub

		 

		'vDataSep is a separator like -----------------------------21763138716045

		vDataSep = MidB(VarArrayBinRequest, 1, nCurPos-1)
 

		'Start of current separator

		nDataBoundPos = 1
 

		'Beginning of last line

		nLastSepPos = FindToken(vDataSep & tTerm, 1)
 

		Do Until nDataBoundPos = nLastSepPos

			

			nCurPos = SkipToken(tContentDisp, nDataBoundPos)

			nCurPos = SkipToken(tName, nCurPos)

			sFieldName = ExtractField(tDoubleQuotes, nCurPos)
 

			nPosFile = FindToken(tFilename, nCurPos)

			nPosBound = FindToken(vDataSep, nCurPos)

			

			If nPosFile <> 0 And  nPosFile < nPosBound Then

				Dim oUploadFile

				Set oUploadFile = New UploadedFile

				

				nCurPos = SkipToken(tFilename, nCurPos)

				auxStr = ExtractField(tDoubleQuotes, nCurPos)

                ' We are interested only in the name of the file, not the whole path

                ' Path separator is \ in windows, / in UNIX

                ' While IE seems to put the whole pathname in the stream, Mozilla seem to 

                ' only put the actual file name, so UNIX paths may be rare. But not impossible.

                osPathSep = "\"

                if InStr(auxStr, osPathSep) = 0 then osPathSep = "/"

				oUploadFile.FileName = Right(auxStr, Len(auxStr)-InStrRev(auxStr, osPathSep))
 

				if (Len(oUploadFile.FileName) > 0) then 'File field not left empty

					nCurPos = SkipToken(tContentType, nCurPos)

					

                    auxStr = ExtractField(tNewLine, nCurPos)

                    ' NN on UNIX puts things like this in the streaa:

                    '    ?? python py type=?? python application/x-python

					oUploadFile.ContentType = Right(auxStr, Len(auxStr)-InStrRev(auxStr, " "))

					nCurPos = FindToken(tNewLine, nCurPos) + 4 'skip empty line

					

					oUploadFile.Start = nCurPos-1

					oUploadFile.Length = FindToken(vDataSep, nCurPos) - 2 - nCurPos

					

					If oUploadFile.Length > 0 Then UploadedFiles.Add LCase(sFieldName), oUploadFile

				End If

			Else

				Dim nEndOfData

				nCurPos = FindToken(tNewLine, nCurPos) + 4 'skip empty line

				nEndOfData = FindToken(vDataSep, nCurPos) - 2

				If Not FormElements.Exists(LCase(sFieldName)) Then 

					FormElements.Add LCase(sFieldName), String2Byte(MidB(VarArrayBinRequest, nCurPos, nEndOfData-nCurPos))

				else

                    FormElements.Item(LCase(sFieldName))= FormElements.Item(LCase(sFieldName)) & ", " & String2Byte(MidB(VarArrayBinRequest, nCurPos, nEndOfData-nCurPos)) 

                end if 
 

			End If
 

			'Advance to next separator

			nDataBoundPos = FindToken(vDataSep, nCurPos)

		Loop

		StreamRequest.Write(VarArrayBinRequest)

	End Sub
 

	Private Function SkipToken(sToken, nStart)

		SkipToken = InstrB(nStart, VarArrayBinRequest, sToken)

		If SkipToken = 0 then

			Response.write "Error in parsing uploaded binary request."

			Response.End

		end if

		SkipToken = SkipToken + LenB(sToken)

	End Function
 

	Private Function FindToken(sToken, nStart)

		FindToken = InstrB(nStart, VarArrayBinRequest, sToken)

	End Function
 

	Private Function ExtractField(sToken, nStart)

		Dim nEnd

		nEnd = InstrB(nStart, VarArrayBinRequest, sToken)

		If nEnd = 0 then

			Response.write "Error in parsing uploaded binary request."

			Response.End

		end if

		ExtractField = String2Byte(MidB(VarArrayBinRequest, nStart, nEnd-nStart))

	End Function
 

	'String to byte string conversion

	Private Function Byte2String(sString)

		Dim i

		For i = 1 to Len(sString)

		   Byte2String = Byte2String & ChrB(AscB(Mid(sString,i,1)))

		Next

	End Function
 

	'Byte string to string conversion

	Private Function String2Byte(bsString)

		Dim i

		String2Byte =""

		For i = 1 to LenB(bsString)

		   String2Byte = String2Byte & Chr(AscB(MidB(bsString,i,1))) 

		Next

	End Function

End Class
 

Class UploadedFile

	Public ContentType

	Public Start

	Public Length

	Public Path

	Private nameOfFile
 

    ' Need to remove characters that are valid in UNIX, but not in Windows

    Public Property Let FileName(fN)

        nameOfFile = fN

        nameOfFile = SubstNoReg(nameOfFile, "\", "_")

        nameOfFile = SubstNoReg(nameOfFile, "/", "_")

        nameOfFile = SubstNoReg(nameOfFile, ":", "_")

        nameOfFile = SubstNoReg(nameOfFile, "*", "_")

        nameOfFile = SubstNoReg(nameOfFile, "?", "_")

        nameOfFile = SubstNoReg(nameOfFile, """", "_")

        nameOfFile = SubstNoReg(nameOfFile, "<", "_")

        nameOfFile = SubstNoReg(nameOfFile, ">", "_")

        nameOfFile = SubstNoReg(nameOfFile, "|", "_")

    End Property
 

    Public Property Get FileName()

        FileName = nameOfFile

    End Property
 

    'Public Property Get FileN()ame

End Class
 
 

' Does not depend on RegEx, which is not available on older VBScript

' Is not recursive, which means it will not run out of stack space

Function SubstNoReg(initialStr, oldStr, newStr)

    Dim currentPos, oldStrPos, skip

    If IsNull(initialStr) Or Len(initialStr) = 0 Then

        SubstNoReg = ""

    ElseIf IsNull(oldStr) Or Len(oldStr) = 0 Then

        SubstNoReg = initialStr

    Else

        If IsNull(newStr) Then newStr = ""

        currentPos = 1

        oldStrPos = 0

        SubstNoReg = ""

        skip = Len(oldStr)

        Do While currentPos <= Len(initialStr)

            oldStrPos = InStr(currentPos, initialStr, oldStr)

            If oldStrPos = 0 Then

                SubstNoReg = SubstNoReg & Mid(initialStr, currentPos, Len(initialStr) - currentPos + 1)

                currentPos = Len(initialStr) + 1

            Else

                SubstNoReg = SubstNoReg & Mid(initialStr, currentPos, oldStrPos - currentPos) & newStr

                currentPos = oldStrPos + skip

            End If

        Loop

    End If

End Function

%>
 
 
 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<script type="text/javascript" src="../java/jquery-1.2.6.min.js"></script>

<script type="text/javascript" src="../java/ajax.js"></script>

<script type="text/javascript" src="../java/functions.js"></script>

<link rel="stylesheet" href="../style/default.css">

</head>
 

<% If Request.QueryString("tabupdated") = 2 Then %>

<body onload='$("#fileselected").hide();$("#fileresults").hide();'>

<% Else %>

<body onload='$("#fileselected").hide();'>

<% End If %>

<%
 
 

' *********************** START VARIABLE EDIT ***********************
 

  Dim uploadsDirRemote, uploadsDirLocal
 

  uploadsDirLocal = Server.MapPath("\") & "\Public\doc_transfer"
 

' ************************ END VARIABLE EDIT ************************
 

function OutputForm()

%>
 
 

<% Response.Write "<form name='frmSend' method='POST' enctype='multipart/form-data' action='#'>" %>
 

<center><br><br>

Enter a file description: <input type="text" size=35 name="doctitle"><br><br>

    Select a document: <input type="button" value="Browse..." class="btn" onmouseover="this.className='btn btnhov'" onmouseout="this.className='btn'"/><input name="attach1" type="file" size=35 class="hidebrowse" onchange="$('#fileselected').show();">

&nbsp;&nbsp;<span id="fileselected"><img src="../images/checkmark.gif" border="0" height="16" width="16"></span>

<br><br>
 

    <input style="margin-top:4" type=button value="Upload File" onclick="fileuploadverify_events();" class="btn" onmouseover="this.className='btn btnhov'" onmouseout="this.className='btn'"/>

    </form>

</center>
 

<%

end function
 

function SaveFiles

    Dim Upload, fileName, fileSize, ks, i, fileKey, fs, f
 

    Set Upload = New FreeASPUpload
 

    Upload.FilesSave uploadsDirLocal, request.querystring("id"), "Event"
 

	' If something fails inside the script, but the exception is handled

	If Err.Number<>0 then Exit function
 

    SaveFiles = ""

    ks = Upload.UploadedFiles.keys
 
 

    if (UBound(ks) <> -1) then

 

'
 

    else

      SaveFiles = "<br>The file you have entered does not appear to be valid or already exists. Please select another file."

    end if
 
 

end function

%>
 

<%

Dim diagnostics

if Request.ServerVariables("REQUEST_METHOD") <> "POST" then

        response.write "<div align=""center"">"

        OutputForm()

        response.write "</div>"

else

    response.write "<div align=""center"">"

    OutputForm()

If Request.QueryString("tabupdated") = 2 Then

    response.write SaveFiles()

%>

<span id="uploading">

      <div align="center"><font size="2" face="Arial, Helvetica, sans-serif"> 

          <image src="../images/indicator.gif" border="0"> <i>Uploading File... Please Wait.</i>

          </font></div>

</span>

<%

End If

    response.write "<br><br></div>"

End If
 

%>
 

</body>

</html>

Open in new window

0
Comment
Question by:MDauphinais1
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 24784529
Welcome to the fun world of MS permissions!
If you are copying the file from one server to another using an ASP file then IIS is using the anonymous account of the web server to execute the code.  This being the case IUSR_<server name> being a local account on the server does not have permissions to any network resources.

THe easiest way to do this is to create a local account on the IIS server and one on the file server with the same name and password (or use a domain account if both machines are members of the same domain) and then grant the account appropriate NTFS and share persmissions on the file server and over ride the anonymous ID for the directory (or you might be able to do it at the file level and do it just for this page) with the ID and PW that you just created.  Then when the page runs it will run under that new ID which should now have permissions to access the remote server and directory.
0
 

Author Comment

by:MDauphinais1
ID: 24785266
Thanks for the response. But like I said in my post:

"I have a virtual directory set up on IIS pointing to the remote file share. The anonymous permissions are configured for a domain account that has Read/Write/Modify access to the remote file server. "

I am aware of the anonymous user issue on IIS. I already took care of that by using a domain account. The issue I am experiencing is not chronic. If I independently call FileSystemObject to create or move a file to the remote server, it works fine. This tells me the permissions are good. However, if I try to upload to the remove server, I get Permission Denied, Write File Error or a blank response but no upload.

If I upload to the local web server instead, it works fine. Then if I try to call the FileSystemObject for any reason on the remove server, create folder, move file, etc. within a few minutes from when the upload occured I will get Permission Denied, Write File Error, etc. on the remove server. If I literally sit and wait for several minutes after the upload occurs and try the FileSystemObject call again, whatever I was trying to do will run fine.

The upload script is not changing any rights (at least not intentionally) so this is very perplexing.
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 24785518
Sorry for the mis-understanding.
Two things come to mind.
Since you need to access a "remote" network resource make sure that you have impersonation enabled for this directory/site in IIS, otherwise I believe the credentials default to the anonumous machine account, despite what is being used in IIS for anonymous.
The other thing that comes to mind is that it might be trying to use the application pool ID as oppsed to the anonymous account.  You can try changing the logon ID of the app pool to the domain account and see if this works ... I believe you will still need to have impersonation enabled for the site for this to work.

http://msdn.microsoft.com/en-us/library/134ec8tc(VS.80).aspx
0
 

Accepted Solution

by:
MDauphinais1 earned 0 total points
ID: 25327798
The issue ended up being on our servers. I don't really know what the issue was but I was told the file share server was screwed up with a failing HDD and other strange issues with the way they have everything set up.

What I did to finally get it working was originally I had the entire IIS site set to Anonymous with credentials that had access on the file share. I changed that to make the entire site Windows Authentication only and made one specific folder Anonymous with the special credentials. This folder only contains one file which creates/deletes folders on the file share. To keep the session variable for the current user from being overridden I call the file in this folder with JavaScript instead of from ASP. Seems to be working so far...
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now