Canceling request validation using HttpHandler on IIS 7

Question

I have an application that has to deal with getting "special" characters in its URL (like &, +, %, etc). When I'm sending a request to the application using these characters (of course I'm sending them escaped) I'm getting "Bad Request" response code with the message "ASP.NET detected invalid characters in the URL". Tracing the request shown me that the error was thrown from the "Authentication Module".

I've searched a bit and found that every page has a ValidateRequest and changing its value to false solves the problem. Unfortunately I'm using Httphandler. Does anyone know how to stop the request validation using http handler?

Answer 1

You can set validateRequest to false in the pages section of the web.config. Maybe that works for HttpHandlers as well?

Answer 2

You can remove all the modules with

<httpModules>
  <clear />
</httpModule>

to make the request get to your handler. Or maybe you can remove the specific modules that are stopping your request.

This is the list of modules loaded by default in ASP.NET 2.0 from here

<httpModules>
     <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
     <add name="Session" type="System.Web.SessionState.SessionStateModule" />
     <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
     <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
     <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />
     <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
     <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
     <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />
     <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
     <add name="Profile" type="System.Web.Profile.ProfileModule" />
</httpModules>

Answer 3

How about this?

<system.web>
    <pages validateRequest="false">
    </pages>
</system.web>

Answer 4

I ran into the same problem (creating an IHttpHandler that needed to receive requests with special characters in the URL). I had to do two things to fix it:

1. Create the following DWORD registration entry with a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility

2. In the web.config, set the allowDoubleEscaping attribute of the requestFiltering element to true.

Answer 5

Below solution worked for me- Create the following DWORD registration entry with a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility

In the web.config, set the allowDoubleEscaping attribute of the requestFiltering element to true.

Answer 6

I had the same problem and got it working by setting validateRequest="false" as well as requestValidationMode="2.0", like below. No registry edits.

<system.web>
  <httpRuntime requestValidationMode="2.0" />
  ...
  <pages ... validateRequest="false" />
</system.web>