ansaurus

Question

Answer 1

+8 A:

Edit: Added emphasis to relevant sections.

Basically: IIS is being excessively paranoid. You can safely disable this check if you're not doing anything particularly unwise with the uri decoded data (such as generating local filesystem URI's via string concatenation).

To disable the check do the following (from here or here): (see my comment below for what double escaping entails).

<system.webServer>
    <security>
        <requestFiltering allowDoubleEscaping="True"/>
    </security>
</system.webServer>

If the plus symbol is a valid character in a search input, you will need to enable "allowDoubleEscaping" to permit IIS to process such input from the URI's path.

Finally, a very simple, if limited workaround is simply to avoid '+' and use '%20' instead. In any case, using the '+' symbol to encode a space is not valid url encoding, but specific to a limited set of protocols and probably widely supported for backwards-compatibility reasons. If only for canonicalization purposes, you're better off encoding spaces as '%20' anyhow; and this nicely sidesteps the IIS7 issue (which can still crop up for other sequences, such as %25ab.)

Eamon Nerbonne 2009-09-21 07:43:51

OK, but what should I do?

Alex 2009-09-21 07:46:47

I'd disable the check. It's a hassle and doesn't provide extra security to most apps.

Eamon Nerbonne 2009-09-21 08:03:23

Do you have a link/reference that it's pretty much safe to disable double escaping? Also, what exactly does this security measure prevent from happening?

Alex 2009-09-21 08:04:49

If a uri is double-escaped, then the unescaped uri components may themnselves contain reserved characters and thus (parts of) the unescaped uri may itself be a valid uri. In short, if you use the unescaped uri string to construct new uri's - in particular filesystem paths - and you fail to correctly escape the new path, you may allow path injection. Path injection could allow an attacker to trick your program into processing data it shouldn't, or into confusing it into thinking two uri's are different when they are actually identical but simply encoded differently.

Eamon Nerbonne 2009-09-21 08:21:17

Answer 2

A:

Have you thought about having the search URL like '/search/a/b/c'?

You'd need to setup a route like

search/{*path}

And then extract the search values from your path string in the action.

HTHs
Charles

Charlino 2009-09-21 07:58:26

The problem is that other URL encoded characters (including '/' itself) could be part of the search.

Alex 2009-09-21 08:04:02

Could you not encode all the '/' that are actually part of the search to '%2F'?

Charlino 2009-09-21 20:55:48

ansaurus

tags:

views:

answers:

Is Enabling Double Escaping Dangerous?

related questions