tags:

views:

385

answers:

3
Q: 

Problem with a URL that ends with %20

I have a big problem. There are devices in live that send the URL "/updates ". It's a typo of the developer for those devices. In the server logs, it looks like "/updates+".

I have a ManageURL rewriting module that handles all requests without extension. But this request causes an HttpException:

System.Web.HttpException:

System.Web.HttpException
   at System.Web.Util.FileUtil.CheckSuspiciousPhysicalPath(String physicalPath)
   at System.Web.HttpContext.ValidatePath()
   at System.Web.HttpApplication.ValidatePathExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

As I see in the logs, the URL rewriting module does not even get this URL, so I cannot fix it there.

Is there a way to handle those URLs with ASP.NET?

A: 

If you have access to code why not just check for '+' at the end and remove it?

DroidIn.net  2009-07-14 17:15:19
+1  A: 

According to some, this is in System.Web.dll:

internal static void CheckSuspiciousPhysicalPath(string physicalPath)
{
  if (((physicalPath != null) && (physicalPath.Length > 0))
    && (Path.GetFullPath(physicalPath) != physicalPath))
  {
    throw new HttpException(0x194, "");
  }
}

I guess you cannot change that, but can't one disable it in the IIS settings? Of course, that would also disable all other checks... :-(

Or write some ISAPI filter that runs before the above code? Writing your own module is said to be easy, according to Handle URI hacking gracefully in ASP.NET.

Or, create your own error page. In this page (like suggested in the URI hacking link above) search for specific text in exception.TargetSite.Name, such as CheckSuspiciousPhysicalPath and if found (or simply always) look at current.Request.RawUrl or something like that, clear the error and redirect to a repaired URL?

Arjan  2009-07-14 17:46:29
Thanks.Sorry for not ansering so long.As temporary fix we create a 404 page.And find a way to change it on devices.Anyway this error pushed me to find a ISAPI module that can handle those issues.
AlfeG  2009-07-28 13:51:27
Welcome back ;-) Actually, I guess Cheeso's answer about using an ISAPI rewriting filter might be an easy workaround. This would then hopefully run *before* the above code is executed -- but I think Cheeso is the author of that filter, and I trust the author knows best. The single upvote for Cheeso's answer is mine, so: did you read that answer?
Arjan  2009-07-28 14:45:17
+1  A: 

you could run a URL-rewriting ISAPI, like IIRF.

Cheeso  2009-07-17 10:54:09
IIRF was not an ideal solution for our application. I'm waiting for release of 2.0 version.
AlfeG  2009-07-29 13:25:50
IIRF 2.0 is out and available, though not final. But there's nothing in the rewrite engine for IIRF v2.0 that you cannot get in IIRF v1.2.16.
Cheeso  2009-07-29 13:38:20
Like I wrote in the comments of my own answer: I assume that IIRF runs prior to any built-in security in IIS? So, one could completely rewrite any URL (or: just strip an erroneous trailing space) before handling control to IIS, so before `CheckSuspiciousPhysicalPath` is invoked. Right? Seems like a good solution to me, but still the single upvote is mine. Am I missing the point here?
Arjan  2009-08-03 12:16:56
@Arjan, no I don't think you are missing the point. You are correct that the ISAPI filter will run prior to System.Web.dll checking for a suspiscious path. My comment about IIRF v2.0 was directed to AlfeG, who said he was waiting for v2.0. I wanted to say, for rewrite purposes, there's no point in waiting. IIRF v1.2 or v2.0 will both accomplish the goal.
Cheeso  2009-08-03 12:47:38
Exactly what I thought. (I did understand you were replying to AlfeG, but I just fail to understand why AlfeG thinks IIRF is *not* an easy solution, even if only to remove one space... Not such a big problem after all?)
Arjan  2009-08-03 13:59:06

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps