views:

195

answers:

3

I'd like to block requests to any .php or .cgi regardless of the pathing information.

For example, when the following url is used:

http://mysite/Admin/Scripts/Setup.php

It matches an existing route:

routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });

However there is no controller for scripts so MVC throws the following:

The IControllerFactory '' did not return a controller for a controller named 'scripts'.

What I'd really prefer is that the request is simply met with a hard fail before MVC ever got to the controller.

I know that I can do this by hooking the Application_BeginRequest in the Global.asax and throwing a new HttpException(404, "Not Found") but that's not quite the elegant solution I'm looking for.

I was really hoping that this would work:

routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");

But it doesn't.

NOTE: Sean Lynch's answer works great but I still would really like a System.Web.Routing or System.Web.Mvc based solution. That way I can allow my users to add their own exclusions at runtime.

+2  A: 

If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

Update here is what you would put into your web.config in the system.webserver section:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
Sean Lynch
I second that. Use the AbortRequest action type and the request will never get any further.
Mark B
Can URL Rewrite module rules be added from within my application, or from within the application directory on the disk or must I use IIS Manager to configure them?
Hellfire
You can define the rules in the web.config of your application, so don't need to use IIS Manager to configure them. However, I am not sure of the exact XML that would be used though. I don't have access to IIS Manager right now to try it out.
Sean Lynch
But I have done it was the path rewriting, and just copied the web.config up.
Sean Lynch
I have added the code for the web.config that IIS Manager generated.
Sean Lynch
I have investigated this and I like it. In the process I also looked at the Request Filtering module and I actually like that better. It's much simpler to configure and highly effective. I'm not 100% sure but it may even run earlier in the pipeline than the URL Rewrite module.
Hellfire
This answer works great but I would really like a System.Web.Routing or System.Web.MVC solution to this.
Hellfire
Well, after a few days of messing around with other approaches I like this one the best, by far! It's convenient, not messy, doesn't require a recompile (well, outside of what ASP.NET does on it's own) and built-in (so well supported). I haven't figured out if I can programmatically add new rules on the fly, but that's not a critical requirement.
Hellfire
A: 

I found http://stackoverflow.com/questions/273447/how-to-ignore-route-in-asp-net-forms-url-routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.

If the .php requests are not going through the routing handler then this probably wouldn't work.

Sean Lynch
A: 

You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.

Mouffette