Skip to content

Commit 4bdf70d

Browse files
StephenMolloyStephenMolloy
committed
'accessPolicy' is a little mis-represented. And definitely needs to call out that preventing execution does not necessarily prevent initialization.
1 parent bd38bb5 commit 4bdf70d

File tree

2 files changed

+5
-2
lines changed

2 files changed

+5
-2
lines changed

iis/configuration/system.webServer/handlers/add.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,7 @@ The `<add>` element of the `<handlers>` collection is included in the default in
107107
| `name` | Required string attribute. <br><br>Specifies the unique name of the handler mapping. |
108108
| `path` | Required string attribute. <br><br>Specifies the file name or the file name extension for which the handler mapping applies. |
109109
| `preCondition` | Optional string attribute. <br><br>Specifies conditions under which the handler will run. <br><br>The **preCondition** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>bitness32</code></th> <td>Specify the <strong>bitness32</strong> value when the handler is a 32-bit .dll file, and IIS should load the handler only for worker processes that run in WOW64 mode (32-bit simulation) on a 64-bit operating system. </td></tr> <tr> <th><code>bitness64</code></th> <td>Specify the <strong>bitness64</strong> value when the handler is a 64-bit .dll file, and IIS should load the handler only for worker processes that run in 64-bit mode. </td></tr> <tr> <th><code>integratedMode</code></th> <td>Specify the <strong>integratedMode</strong> value when the handler should respond only to requests in application pools that are configured to use the integrated request-processing pipeline. </td></tr> <tr> <th><code>ISAPIMode</code></th> <td>Specify the <strong>ISAPIMode</strong> value when the handler should respond only to requests in application pools that are configured to use Classic mode. </td></tr> <tr> <th><code>runtimeVersionv1.1</code></th> <td>Specify the <strong>runtimeVersionv1.1</strong> value when the handler should respond only to requests in application pools that are configured to use .NET Framework version 1.1. </td></tr> <tr> <th><code>runtimeVersionv2.0</code></th> <td>Specify the <strong>runtimeVersionv2.0</strong> value when the handler should respond only to requests in application pools that are configured to use .NET Framework version 2.0. </td></tr></tbody></table> |
110-
| `requireAccess` | Optional enum attribute. <br><br>Specifies the type of access that a handler requires to the resource. <br><br>The **requireAccess** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default value is `Script`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <td><strong>Execute</strong></td> <td>Specifies that the handler requires rights to run executables. <br><br>The numeric value is <code>4</code>. </td></tr> <tr> <td><strong>None</strong></td> <td>Specifies that the handler does not have access requirements. <br><br>The numeric value is <code>0</code>. </td></tr> <tr> <td><strong>Read</strong></td> <td>Specifies that the handler requires read permissions. <br><br>The numeric value is <code>1</code>. </td></tr> <tr> <td><strong>Script</strong></td> <td>Specifies that the handler requires rights to run scripts. <br><br>The numeric value is <code>3</code>. </td></tr> <tr> <td><strong>Write</strong></td> <td>Specifies that the handler requires write permissions. <br><br>The numeric value is <code>2</code>. </td></tr></tbody></table> |
110+
| `requireAccess` | Optional enum attribute. <br><br>Specifies the access level at which a handler will execute. <br><br>The **requireAccess** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default value is `Script`. <br><br>**Note:** Even if a handler’s **requireAccess** value does not match the current `accessPolicy` level, it remains part of the configured set of handlers and may be initialized, although it will not be executed. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <td><strong>Execute</strong></td> <td>Specifies that the handler requires rights to run executables. <br><br>The numeric value is <code>4</code>. </td></tr> <tr> <td><strong>None</strong></td> <td>Specifies that the handler does not have access requirements. <br><br>The numeric value is <code>0</code>. </td></tr> <tr> <td><strong>Read</strong></td> <td>Specifies that the handler requires read permissions. <br><br>The numeric value is <code>1</code>. </td></tr> <tr> <td><strong>Script</strong></td> <td>Specifies that the handler requires rights to run scripts. <br><br>The numeric value is <code>3</code>. </td></tr> <tr> <td><strong>Write</strong></td> <td>Specifies that the handler requires write permissions. <br><br>The numeric value is <code>2</code>. </td></tr></tbody></table> |
111111
| `resourceType` | Optional string attribute. <br><br>Specifies the type of resource to which the handler mapping applies. <br><br>The **resourceType** attribute can be one of the following possible values. The default value is `Unspecified`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>Directory</code></th> <td>Specifies that the handler mapping applies to requests only for physical folders on disk. <br><br>The numeric value is <code>1</code>. </td></tr> <tr> <th><code>Either</code></th> <td>Specifies that the handler mapping applies to requests for physical files or folders on disk. <br><br>The numeric value is <code>2</code>. </td></tr> <tr> <th><code>File</code></th> <td>Specifies that the handler mapping applies to requests only for physical files on disk. <br><br>The numeric value is <code>0</code>. </td></tr> <tr> <th><code>Unspecified</code></th> <td>Specifies that the mapping type is not specified. The handler mapping applies to requests regardless of whether the request maps to a physical file or folder on disk. Use this setting when you map a handler to a file name or file name extension that does not exist on disk, such as MyHandler.axd. <br><br>The numeric value is <code>3</code>. </td></tr></tbody></table> |
112112
| `responseBufferLimit` | Optional uint attribute. <br><br>Specifies the maximum size, in bytes, of the response buffer for a request handler. <br><br>The default value is `4194304` bytes. |
113113
| `scriptProcessor` | Optional string attribute. <br><br>Specifies the physical path of the ISAPI extension .dll file or Common Gateway Interface (CGI) .exe file that processes the request. <br><br>The scriptProcessor attribute is required only for script map handler mappings. When you map a handler to an ISAPI extension, you must specify ISAPIModule for the modules attribute. When you map a handler to a CGI file, you must specify CGIModule for the modules attribute. |

iis/configuration/system.webServer/handlers/index.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,10 @@ You configure the `<handlers>` element at the application level in the Web.confi
110110

111111
| Attribute | Description |
112112
| --- | --- |
113-
| `accessPolicy` | Optional flags attribute.<br><br>Specifies the allowed access types for the entire handlers collection.<br><br>The **accessPolicy** attribute can be one of the following possible values. The default is `Read`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>Execute</code></th> <td>Enables handlers in the handlers collection that require execute rights in directories and files.</td></tr> <tr> <th><code>None</code></th> <td>Disables all handlers in the handlers collection that require access to directories or files.</td></tr> <tr> <th><code>NoRemoteExecute</code></th> <td>Prevents handlers in the handlers collection from running executables when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteRead</code></th> <td>Prevents handlers in the handlers collection from reading files when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteScript</code></th> <td>Prevents handlers in the handlers collection from running scripts when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteWrite</code></th> <td>Prevents handlers in the handlers collection from creating or changing files when a handler receives a remote request.</td></tr> <tr> <th><code>Read</code></th> <td>Enables handlers in the handlers collection that require read access to directories and files.</td></tr> <tr> <th><code>Script</code></th> <td>Enables handlers in the handlers collection that require script rights to directories or files.</td></tr> <tr> <th><code>Source</code></th> <td>Enables handlers in the handlers collection that require read access to source code (together with the <strong>Read</strong> flag) or write access to source code (together with the <strong>Write</strong> flag).</td></tr> <tr> <th><code>Write</code></th> <td>Enables handlers in the handlers collection that require write access to directories and files.</td></tr></tbody></table> |
113+
| `accessPolicy` | Optional flags attribute.<br><br>Specifies what level of access types for the entire handlers collection.<br><br>The **accessPolicy** attribute can be one of the following possible values. The default is `Read`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>Execute</code></th> <td>Enables handlers in the handlers collection that require execute rights in directories and files.</td></tr> <tr> <th><code>None</code></th> <td>Disables all handlers in the handlers collection that require access to directories or files.</td></tr> <tr> <th><code>NoRemoteExecute</code></th> <td>Prevents handlers in the handlers collection from running executables when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteRead</code></th> <td>Prevents handlers in the handlers collection from reading files when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteScript</code></th> <td>Prevents handlers in the handlers collection from running scripts when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteWrite</code></th> <td>Prevents handlers in the handlers collection from creating or changing files when a handler receives a remote request.</td></tr> <tr> <th><code>Read</code></th> <td>Enables handlers in the handlers collection that require read access to directories and files.</td></tr> <tr> <th><code>Script</code></th> <td>Enables handlers in the handlers collection that require script rights to directories or files.</td></tr> <tr> <th><code>Source</code></th> <td>Enables handlers in the handlers collection that require read access to source code (together with the <strong>Read</strong> flag) or write access to source code (together with the <strong>Write</strong> flag).</td></tr> <tr> <th><code>Write</code></th> <td>Enables handlers in the handlers collection that require write access to directories and files.</td></tr></tbody></table> |
114+
115+
> [!NOTE]
116+
> The `accessPolicy` attribute is not an enforceable security policy but rather a filtering mechanism that determines which handlers execute based on their `requiredAccess` attribute when configured. A filtered handler is still part of the configuration and may be initialized, even though it will not be selected to execute based on this attribute.
114117
115118
### Child Elements
116119

0 commit comments

Comments
 (0)