tags:

views:

195

answers:

3
+5  Q: 

How do I block requests for all *.php, *.cgi, etc. pages from inside an ASP.NET MVC 1.0 app hosted in IIS7?

I'd like to block requests to any .php or .cgi regardless of the pathing information.

For example, when the following url is used:

http://mysite/Admin/Scripts/Setup.php

It matches an existing route:

routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });

However there is no controller for scripts so MVC throws the following:

The IControllerFactory '' did not return a controller for a controller named 'scripts'.

What I'd really prefer is that the request is simply met with a hard fail before MVC ever got to the controller.

I know that I can do this by hooking the Application_BeginRequest in the Global.asax and throwing a new HttpException(404, "Not Found") but that's not quite the elegant solution I'm looking for.

I was really hoping that this would work:

routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");

But it doesn't.

NOTE: Sean Lynch's answer works great but I still would really like a System.Web.Routing or System.Web.Mvc based solution. That way I can allow my users to add their own exclusions at runtime.

+2  A: 

If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

Update here is what you would put into your web.config in the system.webserver section:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
Sean Lynch  2009-10-08 17:51:34
I second that. Use the AbortRequest action type and the request will never get any further.
Mark B  2009-10-08 17:53:50
Can URL Rewrite module rules be added from within my application, or from within the application directory on the disk or must I use IIS Manager to configure them?
Hellfire  2009-10-08 18:19:09
You can define the rules in the web.config of your application, so don't need to use IIS Manager to configure them. However, I am not sure of the exact XML that would be used though. I don't have access to IIS Manager right now to try it out.
Sean Lynch  2009-10-08 18:58:42
But I have done it was the path rewriting, and just copied the web.config up.
Sean Lynch  2009-10-08 18:59:42
I have added the code for the web.config that IIS Manager generated.
Sean Lynch  2009-10-08 19:40:39
I have investigated this and I like it. In the process I also looked at the Request Filtering module and I actually like that better. It's much simpler to configure and highly effective. I'm not 100% sure but it may even run earlier in the pipeline than the URL Rewrite module.
Hellfire  2009-10-08 19:42:17
This answer works great but I would really like a System.Web.Routing or System.Web.MVC solution to this.
Hellfire  2009-10-08 19:49:21
Well, after a few days of messing around with other approaches I like this one the best, by far! It's convenient, not messy, doesn't require a recompile (well, outside of what ASP.NET does on it's own) and built-in (so well supported). I haven't figured out if I can programmatically add new rules on the fly, but that's not a critical requirement.
Hellfire  2009-10-14 17:02:16
A: 

I found http://stackoverflow.com/questions/273447/how-to-ignore-route-in-asp-net-forms-url-routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.

If the .php requests are not going through the routing handler then this probably wouldn't work.

Sean Lynch  2009-10-08 20:04:27
A: 

You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.

Mouffette  2009-10-09 02:36:22

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data