如何阻止来自 IIS7 中托管的 ASP.NET MVC 1.0 应用程序内部对所有 *.php、*.cgi 等页面的请求?

发布于 2024-08-06 15:22:43 字数 861 浏览 12 评论 0原文

我想阻止对任何 .php 或 .cgi 的请求,无论路径信息如何。

例如,当使用以下 url 时:

http://mysite/Admin/Scripts/Setup.php

它与现有路由匹配:

routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });

但是没有脚本控制器,因此 MVC 抛出以下内容:

IControllerFactory '' 做到了 不返回控制器 名为“scripts”的控制器。

我真正喜欢的是,在 MVC 到达控制器之前,该请求就简单地遇到了硬故障。

我知道我可以通过在 Global.asax 中挂钩 Application_BeginRequest 并抛出一个新的 HttpException(404, "Not Found") 来做到这一点,但这并不是我正在寻找的优雅解决方案。

我真的希望这会起作用:

routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");

但事实并非如此。

注意:Sean Lynch 的答案非常有效,但我仍然非常喜欢基于 System.Web.Routing 或 System.Web.Mvc 的解决方案。这样我就可以允许我的用户在运行时添加他们自己的排除项。

I'd like to block requests to any .php or .cgi regardless of the pathing information.

For example, when the following url is used:

http://mysite/Admin/Scripts/Setup.php

It matches an existing route:

routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });

However there is no controller for scripts so MVC throws the following:

The IControllerFactory '' did
not return a controller for a
controller named 'scripts'.

What I'd really prefer is that the request is simply met with a hard fail before MVC ever got to the controller.

I know that I can do this by hooking the Application_BeginRequest in the Global.asax and throwing a new HttpException(404, "Not Found") but that's not quite the elegant solution I'm looking for.

I was really hoping that this would work:

routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");

But it doesn't.

NOTE: Sean Lynch's answer works great but I still would really like a System.Web.Routing or System.Web.Mvc based solution. That way I can allow my users to add their own exclusions at runtime.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

只涨不跌 2024-08-13 15:22:43

我知道这是一篇旧帖子,但如果您正在寻找 php 请求(和其他一些请求)的忽略路由,包括子文件夹中的请求,那么我发现下面的代码效果很好(改编自 忽略 Phil Haack 发布的路由

我还为偶尔的苹果触摸图标请求添加了特定的忽略路由(对不同尺寸使用通配符),并允许 favicon 使用不同的文件扩展名(Google 工具栏和其他一些浏览器查找 png 和 gif 图标)。

当然,您可以为所有图像文件扩展名添加忽略路由,但就我而言,我仍然想路由一些其他请求。

routes.IgnoreRoute("{*allphp}", new { allphp = @".*\.php(/.*)?" });
routes.IgnoreRoute("{*allcgi}", new { allcgi = @".*\.cgi(/.*)?" });
routes.IgnoreRoute("{*allaspx}", new { allaspx = @".*\.aspx(/.*)?" });

routes.IgnoreRoute("{*favicons}", new { favicons = @".*favicon\.(ico|gif|png)(/.*)?" });
routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-.*\.png(/.*)?" });

尽管有这些忽略路由,但我仍然认为,如果您有权执行此操作,则最好对 php 文件使用请求阻止。

I know this is an old post but if you're looking for an ignore route for php requests (and some others) including requests within sub folders then I have found the code below works well (adapted from the ignore routes post from Phil Haack)

I also added a specific ignore route for the occasional apple touch icon request (using a wildcard for the different dimensions) and allowed for the different file extensions for the favicon (Google toolbar and some other browsers look for png and gif favicons).

Of course you could add an ignore route for all image file extensions but in my case I still want to route some of the other requests.

routes.IgnoreRoute("{*allphp}", new { allphp = @".*\.php(/.*)?" });
routes.IgnoreRoute("{*allcgi}", new { allcgi = @".*\.cgi(/.*)?" });
routes.IgnoreRoute("{*allaspx}", new { allaspx = @".*\.aspx(/.*)?" });

routes.IgnoreRoute("{*favicons}", new { favicons = @".*favicon\.(ico|gif|png)(/.*)?" });
routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-.*\.png(/.*)?" });

Despite having these ignore routes, I still think that using request blocking for php files is preferable if you have access to do it.

原谅过去的我 2024-08-13 15:22:43

如果您的托管提供商支持 IIS7 URL 重写模块,那么您可以查看此链接:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

这里更新的是您将在 web.config 中放入的内容系统.网络服务器部分:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

Update here is what you would put into your web.config in the system.webserver section:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
怎樣才叫好 2024-08-13 15:22:43

我发现如何忽略asp.net表单url中的路由路由可能适用于此,它使用 StopRoutingHandler 类,只要对 .php 的请求确实通过路由运行,这可能会起作用。

如果 .php 请求没有通过路由处理程序,那么这可能不起作用。

I found How to ignore route in asp.net forms url routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.

If the .php requests are not going through the routing handler then this probably wouldn't work.

自此以后,行同陌路 2024-08-13 15:22:43

您可以使用 Microsoft 的 UrlScan ISAPI Filter 在这些扩展到达 IIS 之前将其阻止。

You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文