Nonde Scripts

Wumpus

A while ago I was trying to come up with a way to customise the rather plain-looking directory listings in IIS. Yes, pretty much like you can customise error messages. After digging through the various options and settings and finding nothing, the next logical step was to go pay a little visit to Google. As you can see for yourself, most of the results actually talk about stuff like managing virtual directories or building .NET applications which, unsurprisingly, is not helpful. A couple of links, though, seem to relate to my problem.

Firstly, there's the Directory List sample code at ASP 101. Disregarding the appearance (which is hardly a step up from the IIS default) it's actually pretty good. But there's one caveat - as it is, it can only display one hard-coded directory. Yes, the author says that you can, quote, "take folder links and pass them back through the script so that people could browse the directory tree of your entire site all from this one little page". Sounds great, but then I'd also have to do extensive permission checking, lest someone browse my entire server via this "one little page". I mean, IIS already does permission checking for user requests, so why repeat the effort? So the search continues...

Next up is Fx:Scripts which offers "an ActiveX Component for IIS 5.x (or higher) servers which easily lists the contents of directories in a Windows Explorer style." Bingo! I think, as I read through the features list and marvel at the demos. Then I arrive at the bottom of the page where the price tag ever-so-unobtrusively resides. AUD $130? I don't think so, mate. Back to Google.

The DirectoryBrowser object at ASP Emporium works the way the author of the first script suggested, in that it takes the requested directory through the querystring and lists the contents. Now I'm willing to trust the script to be secure and not allow the users to just mosey on out of the webroot, but there's something about the sentence "allows unrestricted surfing of your entire web site and all of it's [sic] sub directories" that just made go back to Google. It was probably the "unrestricted" part, heh.
I did bookmark the page, though, because the use of a recordset to sort the directory contents was pretty neat.

Browsing through the next few pages on Google gave no results. Not relevant ones, at least. Concluding that there was no easy (ie. fiddle with a few settings or some such) way to do what I wanted, I headed over to the ASP Resource Index. Now, had I been looking for a full-featured file management app I would've been be spoiled for choice. But I wasn't. I didn't need the ability to move/copy/edit/delete/upload files, I just wanted a quick, clean way to display them, preferrably with a bit of eye-candy.

Arriving at the conclusion that I had to write my own script for this, I started thinking about how to have the server, rather than the user, call the script. That way I wouldn't have to worry about permission checks and users would travel from directory to directory via plain HTTP requests. The most obvious analogy that comes to mind is, again, customising error messages. Then it hit me. If there's no index doc in a directory, and browsing is disabled, what does the server return? A HTTP error message. A customisable error message. But which one? Another quick trip to Google answered that question - 403.14. Hastily I fired up IIS manager and set the 403.14 error document to the first HTML file I found, and browsed to the webroot. Eureka!

Thus Wumpus was born. The core of the script is very simple. Set as the error doc for HTTP 403.14 it retrieves the requested URL from request.servervariables("QUERY_STRING"), translates it to a physical path and lists the contents. It is inherently secure, since the server handles all permissions checking, and more elegant than passing URLs via the querystring. Plus you have very granular control over which directories you can browse this way.

Check out the features page to see everything Wumpus can do.