400 包含“&”的 URL 的错误请求在 IIS7 上使用 UrlRoutingModule
我正在一个在 IIS 7 上运行的旧 WebForms 站点上设置 ASP.net MVC 2.0。旧站点有一个 404 处理程序,设置如下:
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="C:\..." path="/error404.aspx" responseMode="ExecuteURL" />
</httpErrors>
此 404 处理程序用于模拟 URL 重写,因此 URL 类似于“/+yes” -&-no" 将被路由到它,并且 Server.Transfer()ed 到正确的页面。这一切都有效。
设置 ASP.net MVC 2.0 时,我将其添加到 web.config 中:
<modules runAllManagedModulesForAllRequests="false">
<remove name="UrlRoutingModule" />
<add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</modules>
添加后,所有包含 & 符号(例如“/+yes-&-no”)的 URL 将返回:
错误的请求
如何保持 UrlRoutingModule 启用,同时仍允许带有“&”符号的 URL?
被拒绝的解决方案:
- 我能够得到 这些注册表更改有效,但已被否决安全问题。
我能够使用 URL 重写来更改“&”到“and”,但这会影响 SEO,因为这会改变
等。
<规则名称=“RemoveIllegalAmpersands”>
> 我看到了requestPathInvalidCharacters , web.config 元素,但我们无法尝试它,因为我们仍在 .NET 3.5
还有我错过的其他解决方案吗?
I'm setting up ASP.net MVC 2.0 on an old WebForms site that runs on IIS 7. The old site has a 404 handler set up like:
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="C:\..." path="/error404.aspx" responseMode="ExecuteURL" />
</httpErrors>
This 404 handler is used to simulate URL rewriting, so a URL like "/+yes-&-no" would get routed to it, and Server.Transfer()ed to the correct page. This all works.
When setting up ASP.net MVC 2.0, I add this to the web.config:
<modules runAllManagedModulesForAllRequests="false">
<remove name="UrlRoutingModule" />
<add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</modules>
Once this is added, all URLs containing an ampersand (e.g. "/+yes-&-no") return:
Bad Request
How do I keep the UrlRoutingModule enabled, and still allow URLs with ampersand?
Rejected Solutions:
- I was able to get these registry changes to work, but they have been vetoed out of security concerns.
I was able to use URL Rewriting to change the "&" to "and", but that has SEO implications because that changes the <h1>, etc.
<rule name="RemoveIllegalAmpersands">
<match url="(+.)&(.))" />
<action type="Rewrite" url="{R:1}and{R:2}" />
</rule>I saw the requestPathInvalidCharacters, web.config element but we can't try it because we're still on .NET 3.5
Are there any other solutions that I've missed?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你看过 Hanselman 的这篇文章吗?
http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx
他描述了如何调整哪些字符被视为无效(在他的博客文章中查找 requestPathInvalidCharacters)。
请注意,如果您对此进行调整,则需要注意一些地雷。
Have you taken a look at this post by Hanselman?
http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx
He describes how to tweak what characters are considered invalid (look for requestPathInvalidCharacters on his blog post).
Be aware that there are several landmines to be aware of if you tweak this.