Use any characters you want in your URLs with ASP.NET 4 and IIS 7!

After spending entirely too much time researching this issue today here is how you can use any characters you want for URLs in ASP.NET 4 and IIS 7. A bit of background: I am writing a web application that has a custom HttpModule and HttpHandler that should handle all requests and not limit the syntax of those requests at all. I could not find the information on how to do this in one place anywhere, and there are a reasonable amount of misleading, unanswered and naive responses on various forums that will likely lead you astray if you have an advanced configuration like mine. There are also a lot of completely out of date posts centered on .NET 1.1 and .NET 2.0.

The first thing I was trying to do was make a POST-ed form value containing a forward slash into something that could be used as a component in a RESTful URL. I tried to accomplish that by implementing a handler for AuthenticateRequest in my HttpModule (you can’t do it in BeginRequest unless you want to read the form data manually because Request.Form is not intialized yet) that would encode the value and call TransferRequest. First that made this happen:

A potentially dangerous Request.Path value was detected from the client (%).

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (%).

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below


Stack Trace:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (%).]
   System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +8815985
   System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59

Okay. ASP.NET, for security reasons, normally protects your web applications from potentially harmful content being sent to them, which is probably a good thing. But what if we want or need potentially harmful content? Should we be limited? I hoped the answer was “no”, but the almost complete lack of information on the subject sure wasn’t making it seem that way. After some not too helpful reading and some digging with Reflector, I came up with this:

<system.web>
<httpRuntime requestPathInvalidCharacters="" />
<pages validateRequest="false" />
</system.web>

Now no characters are invalid and requests shouldn’t even BE validated right? WRONG. While this did clear up the first exception, I faced a new one. And, while I was not sure if the validateRequest setting would even apply to my case since it is on the pages element, I assure you that for some reason that setting is an integral part of the above and following changes to work properly together. Here was my second roadblock:

Error Summary

HTTP Error 404.11 – Not Found

The request filtering module is configured to deny a request that contains a double escape sequence.

Detailed Error Information
Module RequestFilteringModule
Notification BeginRequest
Handler Clear
Error Code 0x00000000
Requested URL http://localhost:80/Clear/search/x%2Fy
Physical Path D:\Development\Clear\Clear\search\x%2Fy
Logon Method Not yet determined
Logon User Not yet determined
Most likely causes:
  • The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.
Things you can try:
  • Verify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting in the applicationhost.config or web.confg file.
Links and More Information

This is a security feature. Do not change this feature unless the scope of the change is fully understood. You should take a network trace before changing this value to confirm that the request is not malicious. If double escape sequences are allowed by the server, modify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting. This could be caused by a malformed URL sent to the server by a malicious user.View more information »

Great, now it didn’t even look like it was getting from IIS to ASP.NET! However, deciding I “fully understood” the change, this problem was much easier to find a solution to and get past. Once again, it was a simple matter of adding the right magic words to the Web.config:

<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>

Finally my Frankenstein was coming to life and I thought I was in the clear. But, then I realized that when other clients (not form POST-ers who would not realize my HttpModule was secretly processing their inputs) wanted to send me a URL with a forward slash in a path component they would have to double encode or use some other strange method to identify it as a different kind of forward slash then the normal path component delimiter.

So, I decided to add a feature to my framework that would allow a syntax to specify that “the rest” of a URL is a single component and to do that I wanted to use “/*”. Convinced I could use any character I wanted now, I went ahead and ran the debugger with my test path, and to my chagrin ran into this little beauty:

System.ArgumentException occurred
Message=Illegal characters in path.
Source=mscorlib
StackTrace:
at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str)
InnerException:

mscorlib.dll!System.Security.Permissions.FileIOPermission.HasIllegalCharacters(string[] str) + 0x117 bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.AddPathList(System.Security.Permissions.FileIOPermissionAccess access, System.Security.AccessControl.AccessControlActions control, string[] pathListOrig, bool checkForDuplicates, bool needFullPath, bool copyPathList) + 0x4a bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.FileIOPermission(System.Security.Permissions.FileIOPermissionAccess access, string[] pathList, bool checkForDuplicates, bool needFullPath) + 0x2c bytes
mscorlib.dll!System.IO.Path.GetFullPath(string path) + 0x5c bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath, out bool pathTooLong) + 0x42 bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath) + 0x18 bytes
System.Web.dll!System.Web.Util.FileUtil.CheckSuspiciousPhysicalPath(string physicalPath) + 0x9 bytes
System.Web.dll!System.Web.CachedPathData.GetPhysicalPath(System.Web.VirtualPath virtualPath) + 0x77 bytes
System.Web.dll!System.Web.CachedPathData.GetConfigPathData(string configPath) + 0x190 bytes
System.Web.dll!System.Web.CachedPathData.GetVirtualPathData(System.Web.VirtualPath virtualPath, bool permitPathsOutsideApp) + 0x6f bytes
System.Web.dll!System.Web.HttpContext.GetFilePathData() + 0x25 bytes
System.Web.dll!System.Web.HttpContext.GetConfigurationPathData() + 0x1b bytes
System.Web.dll!System.Web.Configuration.RuntimeConfig.GetConfig(System.Web.HttpContext context) + 0x2c bytes
System.Web.dll!System.Web.HttpContext.SetImpersonationEnabled() + 0xd bytes
System.Web.dll!System.Web.HttpApplication.AssignContext(System.Web.HttpContext context) + 0x5c bytes
System.Web.dll!System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest wr, System.Web.HttpContext context) + 0x22f bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x1fc bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x29 bytes
[Appdomain Transition]

So, in a last desperate attempt to not have to give up, I circled back to a solution that had not worked for any of the other problems I ran into before and to my surprise, it all worked out. Unfortunately, it requires adding a registry value, apparently making your entire server less secure and not an option except for in the most “all access” hosting environments. Anyway, you need to set the following to get the last few “illegal” characters to be allowed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility = 1 (32-bit DWORD)

Before I get accused of hacking my way out of this, this is actually a recommended fix from Microsoft written when this feature was first added as a service pack for .NET 1.1 but it is apparently still in there and for guys like me who like to push the limits, I thank them for trusting us a tiny bit:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;826437

I did find one posting that sort of talks about this problem (on Scott Hanselman’s blog) but it appears rather than finding a solution they opted to change their URLs to workaround the problem. Yes, maybe that was a better idea, but not nearly as FUN:

http://www.hanselman.com/blog/BUGCantUseAnAsteriskAsACharacterWhenRequestingAURLPageFromASPNET.aspx

Hopefully this will help someone get past the issue themselves without all the forumining and experiments, or at least convince them it’s a bad idea and give up on the special characters. 😉

This entry was posted in Development, Web and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

87 Comments

  1. Posted August 30, 2014 at 6:20 pm | Permalink

    I read a lot of interesting articles here. Probably you spend a lot
    of time writing, i know how to save you a lot of time, there is an online tool that creates high quality, google friendly posts in seconds, just type in google – laranitas free content source

  2. Posted August 30, 2014 at 9:20 pm | Permalink

    Excellent goods from you, man. I have understand your stuff previous to and you’re just extremely wonderful.
    I actually like what you’ve acquired here, certainly like what you’re
    stating and the way in which you say it. You make it entertaining and you still take care
    of to keep it smart. I cant wait to read much more from you.
    This is really a great website.

  3. Posted September 7, 2014 at 11:57 am | Permalink

    It’s an remarkable paragraph in support of all the web users;
    they will get advantage from it I am sure.

  4. Posted September 8, 2014 at 7:52 am | Permalink

    Hi there to every one, as I am genuinely keen of reading this blog’s
    post to be updated daily. It includes pleasant stuff.

  5. Posted September 9, 2014 at 6:28 pm | Permalink

    Of all the examining and competitiveness which goes on, on who has got the biggest penile.

    Nowadays, in line with the commonly accepted reports,
    Peyronie’s disorder has an effect on millions of adult men commonly starting in their 50’s.

    Not long ago, a penis pump called Bathmate has emerged.

  6. Posted September 22, 2014 at 1:03 pm | Permalink

    A mixture of dark or milk chocolates with butterfat and, in some cases, hardened coconut oil the “American truffle” is a half-egg shaped.
    Oz said FBCx is especially helpful for those times when you overindulge.
    Be aware it does not work on its own, so it is still up to you to
    eat a healthy and well balanced diet.

  7. Posted September 28, 2014 at 11:05 pm | Permalink

    I’ve been exploring for a little bit for any high quality articles or weblog posts on this
    sort of space . Exploring in Yahoo I eventually stumbled upon this website.

    Studying this information So i am glad to convey that I have a very good uncanny feeling I came upon exactly what I needed.
    I such a lot no doubt will make sure to don?t omit this website and give it a look regularly.

  8. Posted October 3, 2014 at 6:38 pm | Permalink

    Hi there, after reading this remarkable piece of writing i am as well glad to share my familiarity here with
    mates.

  9. Posted January 17, 2015 at 4:55 pm | Permalink

    Hello my loved one! I want to say that this article is
    awesome, great written and come with approximately all vital infos.
    I’d like to look more posts like this .

    My web-site frozen beverages

  10. Posted January 19, 2015 at 9:25 pm | Permalink

    El ABS hace que el freno bombee más rápido de lo que puede hacer
    tu pie.

  11. Posted February 2, 2015 at 4:59 pm | Permalink

    Yoou need to properly view the staff membefs to see if they
    are engaged iin their work or arre they bored. Consider these
    reasons to enlist the help of a professional doog groomer:.
    Wednesday alll footpaths and walkays shall be cleaned.

  12. Posted February 5, 2015 at 9:14 am | Permalink

    I have been exploring for a little for any high quality articles or weblog posts on this sort of house .
    Exploring in Yahoo I eventually stumbled upon this website.
    Studying this information So i’m satisfied to exhibit that I
    have an incredibly good uncanny feeling I found out just what I needed.
    I such a lot undoubtedly will make certain to don?t forget
    this website and give it a glance regularly.

    my page быстро получить кредитную карту – Brigida

  13. Posted February 27, 2015 at 12:24 am | Permalink

    The keynote behind the pumping is to raise the blood circulation in the penile region. Most of the times the factor behind the erection issues is the poor blood circulation. When you begin pumping the vacuum gets created around the penis, which reels in the blood to the penis. There are two kinds of gains in the size which you could get with the pump. Initially one is momentary which involves the immediate enhancement which you get after utilizing the penis pump. And also with the constant use of penis pump over time you could obtain the permanent enlargement.

  14. Posted March 15, 2015 at 4:44 am | Permalink

    You could definitely see your skills in the work you write.

    The arena hopes forr even mlre passionate writers like you whho aren’t afraiid to mention hhow they
    believe. At all tijes go after your heart.

  15. Posted May 4, 2015 at 7:59 pm | Permalink

    Wow, that’s what I was searching for, what a information! present here att thos webpage,
    thanks dmin of this site.

  16. Posted May 11, 2015 at 9:22 am | Permalink

    This blog was… how do you say it? Relevant!!
    Finally I have found something that helped me. Kudos!

  17. Posted May 11, 2015 at 9:39 am | Permalink

    Definitely believe that which you stated. Your favourite justification appeared to be at
    the internet the simplest thing to remember of. I say
    to you, I certainly get annoyed at the same time as people think about
    issues that they plainly don’t realize about. You managed to hit the nail upon the highest and also outlined out the
    entire thing without having side-effects , people could
    take a signal. Will likely be again to get more. Thanks

  18. Posted May 11, 2015 at 10:06 am | Permalink

    What’s up to all, for the reason that I am in fact eager of reading this blog’s post to be
    updated regularly. It consists of pleasant data.

  19. Posted May 14, 2015 at 9:43 pm | Permalink

    The on the internet penis enhancement exercise quick guides provide special exercises that if done properly, can most definitely expand your penis dimension. Recently the penis augmentation globe has actually been turned upside down with the development of the penis enlargement gadget. The penis augmentation device is a main clinical grip gadget, however designed to lengthen and expand the penis. Using the device correctly and not overusing the device will certainly leave you with a completely comfortable penis increasing the size of encounter.

  20. Posted May 16, 2015 at 3:31 am | Permalink

    Fantastic beat ! I would like to apprentice whilst you amend your web site, how could i subscribe for a
    weblog site? The account helped me a appropriate deal.
    I had been a little bit familiar of this your broadcast provided brilliant clear concept

  21. Posted June 1, 2015 at 2:21 am | Permalink

    I must thank yoou for the efforts you’ve put in writing this site.
    I’m hoping to view the same high-grade conternt by you in the future as well.
    In truth, your creative writing abilities has encouraged me to get my own website
    now 😉

    Visit mmy website … auto electrician (http://www.slideshare.net)

  22. Posted June 2, 2015 at 10:00 pm | Permalink

    You really make it appear really easy along with
    your presentation but I find this matter to be actually something
    that I believe I might by no means understand. It kind of feels too complex and extremely huge for me.
    I’m taking a look ahead to your next put up, I will attempt to get the dangle of it!

  23. Posted June 10, 2015 at 10:23 pm | Permalink

    Right here is the right webpage for everyone who wishes to understand
    this topic. You understand so much its almost hard to argue with you (not that I actually would want to…HaHa).
    You definitely put a new spin on a subject that’s
    been written about for a long time. Wonderful stuff, just
    wonderful!

  24. Posted June 11, 2015 at 9:59 pm | Permalink

    I do trust all the ideas you have presented for your post.

    They are really convincing and will certainly work.
    Nonetheless, the posts are too brief for newbies. May just you please lengthen them a bit
    from subsequent time? Thanks for the post.

  25. Posted June 12, 2015 at 7:37 am | Permalink

    This chapter will walk you by means of some of the most frequent cost-free and paid visitors acquisition frameworks for bringing guests
    to your site.

  26. Posted June 16, 2015 at 12:18 am | Permalink

    Hi there friends, nice piece of writing and nice arguments commented
    at this place, I am truly enjoying by these.

  27. Posted June 16, 2015 at 8:08 pm | Permalink

    It’s enormous that you are getting thoughts from this post as well as from our dialogue made here.

  28. Posted June 16, 2015 at 8:16 pm | Permalink

    Hi there, this weekend is nice in favor of me, since this moment i am reading this
    enormous educational paragraph here at my house.

  29. Posted June 19, 2015 at 5:44 pm | Permalink

    Thanks for some other fantastic post. The place else may just anybody get that kind of info in such an ideal method of
    writing? I have a presentation subsequent week, and I
    am on the search for such information.

  30. Posted June 21, 2015 at 9:11 pm | Permalink

    What a data of un-ambiguity and preserveness of precious knowledge regarding unexpected emotions.

  31. Posted June 22, 2015 at 6:52 am | Permalink

    Great post. I was checking continuously this weblog and I am impressed!

    Extremely useful information specially the ultimate phase :
    ) I handle such info a lot. I used to be seeking this
    particular info for a long time. Thanks and best of luck.

  32. Posted June 30, 2015 at 3:21 am | Permalink

    And they appear for your companies that hold
    the lowest interest rates and provide the most money full attire and how can you possible get such
    loan immediately.

  33. Posted July 2, 2015 at 7:54 am | Permalink

    Thanks on your marvelous posting! I seriously enjoyed reading it, you’re a great
    author.I will always bookmark your blog and may come back from now on. I want to encourage you to continue your great writing, have a nice holiday weekend!

  34. Posted July 2, 2015 at 11:10 am | Permalink

    I think that what you published made a great deal of sense.
    However, what about this? suppose you added a little information? I am not
    suggesting your content isn’t solid, but
    suppose you added a post title that grabbed a person’s attention?
    I mean Use any characters you want in your URLs with
    ASP.NET 4 and IIS 7! is kinda vanilla. You ought to look at Yahoo’s front page and note
    how they create article headlines to grab people to open the links.
    You might try adding a video or a picture or two to get people interested about
    everything’ve got to say. Just my opinion, it might bring your posts a little bit more interesting.

  35. Posted July 29, 2015 at 3:10 pm | Permalink

    They could go further to include their opening times, their telephone number and web address,
    details of new products that have come into the shop this
    week, special offers, local events they recommend, short interviews with local
    producers and farmers, an up to date news feed of
    what. There are various ways in which Maa Durga is worshiped.
    If you find that one or more of the situations above applies to you, you may find that “Mental Health America” is a helpful Facebook page.

  36. Posted August 5, 2015 at 12:01 pm | Permalink

    Thanks for the share!

  37. Posted August 19, 2015 at 7:10 am | Permalink

    WOW just what I was searching for. Came here by
    searching for and when done appropriately

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>