StackExchange 如何处理路由 URL 中的无效字符?
Scott Hanselman 关于在请求 URL 中使用古怪字符的帖子,解释了 IIS 和 ASP.Net 如何使用可以规避安全功能以允许在 URL 中传递无效字符...但是我确信 Stack Exchange 的做法有所不同,因为他的方法会让网站容易遭受严重的攻击和错误。
StackExchange 具有指向标签的链接,例如 C#,这些标签通过 GET 请求编码发送到 Web 服务器,如下所示:
// C#
http://stackoverflow.com/questions/tagged/c%23
// C++
http://stackoverflow.com/questions/tagged/c%2b%2b
技巧是...它们作为请求路径发送值(例如路由参数),而不是查询字符串中的值...
如果您看到 Hanselman 的文章,他建议只能通过关闭 RequestValidation 之外的其他几个安全功能(后者允许查询字符串部分中的编码字符)来实现这一点的 URL)。
问题
StackExchange 如何实现这一目标?
如果按照 Hanselman 在他的博客中说明的方式进行,他们会采取哪些额外步骤来保护自己?
Scott Hanselman's post on using wacky chars in a Request URL, explains how IIS and ASP.Net security features can be circumvented to allow invalid characters to be passed on in a URL... but I am sure stack exchange is doing it different as his methodology would leave the site wide open to nasty attacks and bugs.
StackExchange has links to tags, like C# that are sent to the web server in a GET request encoded, like this:
// C#
http://stackoverflow.com/questions/tagged/c%23
// C++
http://stackoverflow.com/questions/tagged/c%2b%2b
The trick is... they are sent as request path values (ex. route parameters), not as values in a query string...
If you see Hanselman's article, he suggests it is only possible by turning off several other security features beyond RequestValidation (the later allows encoded chars in a query string portion of a URL).
Questions
How does StackExchange accomplish this?
If it is done the same way Hanselman illustrates in his blog, what extra steps do they take to protect themselves?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
他们不接受任何角色。他们使用slugs。
They don't accept just any character. They use slugs.