c# URL with plus sign not running through custom HttpModule

StackOverflow https://stackoverflow.com/questions/18470524

Pregunta

I've got a custom HttpModule to redirect legacy URLs from an old build of the site which checks the incoming request URL against a database table of redirects.

However, when the incoming request URL contains a plus (+) sign, the request doesn't fall through the HttpModule - it works as expected for standard URLs.

For example, these URLs works:

http://www.example.com/sample-url
http://www.example.com/sample url
http://www.example.com/sample%20url

These don't:

http://www.example.com/sample+url
http://www.example.com/sample%2Burl

Here's my module declaration:

<add name="LegacyUrlHttpModule" type="Web.LegacyUrlHttpModule, Framework.Web" preCondition="managedHandler" />

Am I missing a setting here or something?

¿Fue útil?

Solución

Scott Hanselmann wrote a nice blog post explaining how you could enable all kind of crap symbols in the Path portion of an url.

His conclusion is the following:

After ALL this effort to get crazy stuff in the Request Path, it's worth mentioning that simply keeping the values as a part of the Query String (remember WAY back at the beginning of this post?) is easier, cleaner, more flexible, and more secure.

So basically if you have such characters in a url, those characters should be passed as query string parameters instead of attempting to pass them in the Path portion.

Otros consejos

IIS rejects + in URLs by default. A workaround would be to allowDoubleEscaping

<system.webServer>
    <security>
            <requestFiltering allowDoubleEscaping="true" />
    </security>
</system.webServer>

but beware that this may make your site more vulnerable to malicious URLs.

You can follow the below steps:

  1. in the IIS webserver section, double click the 'Request Filtering' icon
  2. in the 'File Name Extension' right click->Edit Feature Settings...' the file 'web.config'
  3. check the option 'Allow double escaping' (this option is unchecked by default)
  4. repeat all above 3 steps for the 'default website' (or whatever you have given the name to your site)
  5. re-start the IIS
Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top