Vulnerability in EPiServer.Forms
This is an odd request... On a client's intranet the IT guys want to put files in the regular file system, in this case d:\attachments and let the EPi-editors link to files they put there.
Using EPiServer.Web.Hosting.VirtualPathNativeProvider I've added a folder that shows up in the File Manager which of course works perfect for static files. Problem is they also want this to work for ASP and ASPX-files and that they should be executed when accessed through epi-site.url/attachments/test.asp. Is this even possible?
Yes, its definetely possible to have aspx/ascx delivered through a VPP.
You might have to add a <location>-element to your web.config for the folder where the files "resides",and specify the correct handlers there.
Normally, the StaticFileHandler is setup for the folders to handle all requests, but in order to execute aspx youneed to change thisto the standard aspxhandler, something like this might work.
Tip is to take a look at how the edit/admin-folders are setup in their <location>-element and "copy" that to your folder <location>-element.