Cannot use a leading ../ to exit above the top directory

asp.net security .net url configuration

I have a asp.net web site with it we have admin area with login page for admin only and all site is allowed for all - i need to ask how to define the right security configuration for it as i get this error 

Cannot use a leading .. to exit above the top directory. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Web.HttpException: Cannot use a leading .. to exit above the top directory.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 


[HttpException (0x80004005): Cannot use a leading .. to exit above the top directory.]
   System.Web.Util.UrlPath.ReduceVirtualPath(String path) +8862087
   System.Web.Util.UrlPath.Reduce(String path) +52
   System.Web.Util.UrlPath.Combine(String appPath, String basepath, String relative) +214
   System.Web.UI.Control.ResolveClientUrl(String relativeUrl) +180
   System.Web.UI.WebControls.Image.AddAttributesToRender(HtmlTextWriter writer) +68
   System.Web.UI.WebControls.WebControl.RenderBeginTag(HtmlTextWriter writer) +20
   System.Web.UI.WebControls.WebControl.Render(HtmlTextWriter writer) +20
   System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
   System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +134
   System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +19
   System.Web.UI.HtmlControls.HtmlForm.RenderChildren(HtmlTextWriter writer) +163
   System.Web.UI.HtmlControls.HtmlContainerControl.Render(HtmlTextWriter writer) +32
   System.Web.UI.HtmlControls.HtmlForm.Render(HtmlTextWriter output) +51
   System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99
   System.Web.UI.HtmlControls.HtmlForm.RenderControl(HtmlTextWriter writer) +40
   System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +134
   System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +19
   System.Web.UI.Control.Render(HtmlTextWriter writer) +10
   System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
   System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +134
   System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +19
   System.Web.UI.Page.Render(HtmlTextWriter writer) +29
   System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1266

my configuration file : 

 <authentication mode="Forms">
  <forms name=".ASPXFORMSAUTH" protection="All" loginUrl="Admin/LoginPage.aspx" path="/" enableCrossAppRedirects="true">
  </forms>
</authentication>
<authorization>
  <deny users="*" />
</authorization>


What this means is that your web page is referring to content which is in the folder one level up from your page, but your page is already in the website's root folder, so the relative path is invalid. Judging by your exception message it looks like an image control is causing the problem.

You must have something like:

<asp:Image ImageUrl="..\foo.jpg" />

But since the page itself is in the root folder of the website, it cannot refer to content one level up, which is what the leading ..\ is doing.


You can use ~/img/myImage.png instead of ../img/myImage.png to avoid this error in ASP.NET pages.


You have an image or a favicon link of the style ="../" somewhere, that if the "../" were valid, would go beyond the top of the site, like this:

Image:

http://example.com/Images/test.jpg

Page

http://example.com/Pages/test.aspx

Valid on that page: ../Images/test.jpg
Would throw an error: ../../Images/test.jpg


It means that one of the paths has a ".." at the beginning of it that would result in exiting the web site's root folder hierarchy. You need to google "asp.net relative paths" or something like that to help you with your problem.

BTW, a hint to where the problem is is included in the exception page that you saw. It will actually tell you what file it found the problem in.

To head off future occurences of this exception, do a search in the entire solution for this string: "../". If you find any of those in files in the root path of your web site, address them.


In my case it turned out to be commented out HTML in a master page!

Who knew that commented out HTML such as this were actually interpreted by ASP.NET!

<!--
<link rel="icon" href="../../favicon.ico">
-->

Related

Testing for inequality in T-SQL
How to run a command in the background on Windows?
Does UNION ALL guarantee the order of the result set [duplicate]
Is it possible to merge iterators in Java?
To the power of in C? [duplicate]
JavaScript/jQuery - "$ is not defined- $function()" error
In bash, how to store a return value in a variable?
How to store array or multiple values in one column
Xcode 9 - failed to emit precompiled header [duplicate]
Admob ads not loading - Failed to load ad: 0
How do I detect if I'm running MATLAB or Octave?
Can Spring MVC handle multivalue query parameter?