Safe to allow double escaping on IIS

Question

I have a site that is using IIS 7.5 it is also using ISAPI rewrite. I would like to redirect some URLS that will be passed by a piece of desktop software one of our business partners use. Basically they have an app that can be used to look up product, they can click on a product in the app and be take to the supplier's web site.

The problem is the app, which is used by many customers and cannot be changed to accommodate me, uses a "+" to eliminate spaces in some of the URL parameters. This is causing problems because I am trying to use ISAPI rewrite to re-write the URL based on the part number. The "+" sign causes IIS to return a "not found" error.

According to everything I have read this can be fixed by allowing double escaping in the web.config file. Everyone seems pretty cavalier about allowing this, but I see MS considers it a security issue.

So what exactly is the danger of allowing double escaping? We have an asp classic site running on this server so I don't want to risk any exposure of the site or DB by using this. OTOH if I could feel confident allowing it, it would be a really easy way to solve a problem.

Answer 1

That's a complex question. I don't have OTOH for you, but I can tell you that in the last 4 years of my experience with IIS and double-escaping, our customers have been enabling double escaping without any further problems. Member of HeliconTech Support Team