views:

1334

answers:

6

I have an application that has to deal with getting "special" characters in its URL (like &, +, %, etc). When I'm sending a request to the application using these characters (of course I'm sending them escaped) I'm getting "Bad Request" response code with the message "ASP.NET detected invalid characters in the URL". Tracing the request shown me that the error was thrown from the "Authentication Module".

I've searched a bit and found that every page has a ValidateRequest and changing its value to false solves the problem. Unfortunately I'm using Httphandler. Does anyone know how to stop the request validation using http handler?

A: 

You can set validateRequest to false in the pages section of the web.config. Maybe that works for HttpHandlers as well?

Erik Hesselink
I tried. It doesn't work...
Itay
A: 

You can remove all the modules with

<httpModules>
  <clear />
</httpModule>

to make the request get to your handler. Or maybe you can remove the specific modules that are stopping your request.

This is the list of modules loaded by default in ASP.NET 2.0 from here

<httpModules>
     <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
     <add name="Session" type="System.Web.SessionState.SessionStateModule" />
     <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
     <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
     <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />
     <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
     <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
     <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />
     <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
     <add name="Profile" type="System.Web.Profile.ProfileModule" />
</httpModules>
Eduardo Campañó
Thanks for the answer, but the problem is that there are some necessary modules that validate the url so I need to find out how to remove the validation and not the modules...
Itay
A: 

How about this?

<system.web>
    <pages validateRequest="false">
    </pages>
</system.web>
Bryan
+2  A: 

I ran into the same problem (creating an IHttpHandler that needed to receive requests with special characters in the URL). I had to do two things to fix it:

  1. Create the following DWORD registration entry with a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility

  2. In the web.config, set the allowDoubleEscaping attribute of the requestFiltering element to true.

jwanagel
A: 

Below solution worked for me- Create the following DWORD registration entry with a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility

In the web.config, set the allowDoubleEscaping attribute of the requestFiltering element to true.

Saurabh Maurya
A: 

I had the same problem and got it working by setting validateRequest="false" as well as requestValidationMode="2.0", like below. No registry edits.

<system.web>
  <httpRuntime requestValidationMode="2.0" />
  ...
  <pages ... validateRequest="false" />
</system.web>
David Thomas