Use any characters you want in your URLs with ASP.NET 4 and IIS 7!

After spending entirely too much time researching this issue today here is how you can use any characters you want for URLs in ASP.NET 4 and IIS 7. A bit of background: I am writing a web application that has a custom HttpModule and HttpHandler that should handle all requests and not limit the syntax of those requests at all. I could not find the information on how to do this in one place anywhere, and there are a reasonable amount of misleading, unanswered and naive responses on various forums that will likely lead you astray if you have an advanced configuration like mine. There are also a lot of completely out of date posts centered on .NET 1.1 and .NET 2.0.

The first thing I was trying to do was make a POST-ed form value containing a forward slash into something that could be used as a component in a RESTful URL. I tried to accomplish that by implementing a handler for AuthenticateRequest in my HttpModule (you can’t do it in BeginRequest unless you want to read the form data manually because Request.Form is not intialized yet) that would encode the value and call TransferRequest. First that made this happen:

A potentially dangerous Request.Path value was detected from the client (%).

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (%).

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below


Stack Trace:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (%).]
   System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +8815985
   System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59

Okay. ASP.NET, for security reasons, normally protects your web applications from potentially harmful content being sent to them, which is probably a good thing. But what if we want or need potentially harmful content? Should we be limited? I hoped the answer was “no”, but the almost complete lack of information on the subject sure wasn’t making it seem that way. After some not too helpful reading and some digging with Reflector, I came up with this:

<system.web>
<httpRuntime requestPathInvalidCharacters="" />
<pages validateRequest="false" />
</system.web>

Now no characters are invalid and requests shouldn’t even BE validated right? WRONG. While this did clear up the first exception, I faced a new one. And, while I was not sure if the validateRequest setting would even apply to my case since it is on the pages element, I assure you that for some reason that setting is an integral part of the above and following changes to work properly together. Here was my second roadblock:

Error Summary

HTTP Error 404.11 – Not Found

The request filtering module is configured to deny a request that contains a double escape sequence.

Detailed Error Information
Module RequestFilteringModule
Notification BeginRequest
Handler Clear
Error Code 0x00000000
Requested URL http://localhost:80/Clear/search/x%2Fy
Physical Path D:\Development\Clear\Clear\search\x%2Fy
Logon Method Not yet determined
Logon User Not yet determined
Most likely causes:
  • The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.
Things you can try:
  • Verify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting in the applicationhost.config or web.confg file.
Links and More Information

This is a security feature. Do not change this feature unless the scope of the change is fully understood. You should take a network trace before changing this value to confirm that the request is not malicious. If double escape sequences are allowed by the server, modify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting. This could be caused by a malformed URL sent to the server by a malicious user.View more information »

Great, now it didn’t even look like it was getting from IIS to ASP.NET! However, deciding I “fully understood” the change, this problem was much easier to find a solution to and get past. Once again, it was a simple matter of adding the right magic words to the Web.config:

<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>

Finally my Frankenstein was coming to life and I thought I was in the clear. But, then I realized that when other clients (not form POST-ers who would not realize my HttpModule was secretly processing their inputs) wanted to send me a URL with a forward slash in a path component they would have to double encode or use some other strange method to identify it as a different kind of forward slash then the normal path component delimiter.

So, I decided to add a feature to my framework that would allow a syntax to specify that “the rest” of a URL is a single component and to do that I wanted to use “/*”. Convinced I could use any character I wanted now, I went ahead and ran the debugger with my test path, and to my chagrin ran into this little beauty:

System.ArgumentException occurred
Message=Illegal characters in path.
Source=mscorlib
StackTrace:
at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str)
InnerException:

mscorlib.dll!System.Security.Permissions.FileIOPermission.HasIllegalCharacters(string[] str) + 0x117 bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.AddPathList(System.Security.Permissions.FileIOPermissionAccess access, System.Security.AccessControl.AccessControlActions control, string[] pathListOrig, bool checkForDuplicates, bool needFullPath, bool copyPathList) + 0x4a bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.FileIOPermission(System.Security.Permissions.FileIOPermissionAccess access, string[] pathList, bool checkForDuplicates, bool needFullPath) + 0x2c bytes
mscorlib.dll!System.IO.Path.GetFullPath(string path) + 0x5c bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath, out bool pathTooLong) + 0x42 bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath) + 0x18 bytes
System.Web.dll!System.Web.Util.FileUtil.CheckSuspiciousPhysicalPath(string physicalPath) + 0x9 bytes
System.Web.dll!System.Web.CachedPathData.GetPhysicalPath(System.Web.VirtualPath virtualPath) + 0x77 bytes
System.Web.dll!System.Web.CachedPathData.GetConfigPathData(string configPath) + 0x190 bytes
System.Web.dll!System.Web.CachedPathData.GetVirtualPathData(System.Web.VirtualPath virtualPath, bool permitPathsOutsideApp) + 0x6f bytes
System.Web.dll!System.Web.HttpContext.GetFilePathData() + 0x25 bytes
System.Web.dll!System.Web.HttpContext.GetConfigurationPathData() + 0x1b bytes
System.Web.dll!System.Web.Configuration.RuntimeConfig.GetConfig(System.Web.HttpContext context) + 0x2c bytes
System.Web.dll!System.Web.HttpContext.SetImpersonationEnabled() + 0xd bytes
System.Web.dll!System.Web.HttpApplication.AssignContext(System.Web.HttpContext context) + 0x5c bytes
System.Web.dll!System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest wr, System.Web.HttpContext context) + 0x22f bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x1fc bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x29 bytes
[Appdomain Transition]

So, in a last desperate attempt to not have to give up, I circled back to a solution that had not worked for any of the other problems I ran into before and to my surprise, it all worked out. Unfortunately, it requires adding a registry value, apparently making your entire server less secure and not an option except for in the most “all access” hosting environments. Anyway, you need to set the following to get the last few “illegal” characters to be allowed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility = 1 (32-bit DWORD)

Before I get accused of hacking my way out of this, this is actually a recommended fix from Microsoft written when this feature was first added as a service pack for .NET 1.1 but it is apparently still in there and for guys like me who like to push the limits, I thank them for trusting us a tiny bit:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;826437

I did find one posting that sort of talks about this problem (on Scott Hanselman’s blog) but it appears rather than finding a solution they opted to change their URLs to workaround the problem. Yes, maybe that was a better idea, but not nearly as FUN:

http://www.hanselman.com/blog/BUGCantUseAnAsteriskAsACharacterWhenRequestingAURLPageFromASPNET.aspx

Hopefully this will help someone get past the issue themselves without all the forumining and experiments, or at least convince them it’s a bad idea and give up on the special characters. 😉

This entry was posted in Development, Web and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

45 Comments

  1. Posted August 22, 2016 at 3:59 pm | Permalink

    自分のサイトではフラメンコの踊り方についての事を記事更新しています。ユーチューブ動画をアップしていますが、ワタシは自分でフラメンコを習得するために有料のDVDを買いました。家でフラメンコを覚えました。フラメンコdanceは一杯の踊りがあります。好きな曲種はタラントで、好きな掛け声は『グアパ!』です(笑)。danceとギターがうねりになり、妖艶に踊るのがFlamencoです。民族の歴史なども分かり。本当にフラメンコは面白いです。また、痩せる事にもいいですので、女性の方々には最高です。自分でもフラメンコは覚えれるのでわたしのweb サイトを閲覧してくださいね。

  2. Posted August 22, 2016 at 4:14 pm | Permalink

    お金の問題はまだかな大丈夫かな、と待つ時間がキツい。その点だとプロミスはお金を借りられるかの審査が早い。万一ダメでも他の手段を考えていける。そういう場合は消費者金融はプロミスがオススメですね。

  3. Posted August 22, 2016 at 5:21 pm | Permalink

    Attractive portion of content. I simply stumbled upon your blog and
    in accession capital to claim that I acquire in fact enjoyed account your blog posts.
    Any way I will be subscribing to your feeds or even I achievement you get admission to
    persistently quickly.

  4. Posted August 22, 2016 at 6:47 pm | Permalink

    You made some good points there. I checked on the web for additional information about the issue and found most individuals will go along with your
    views on this website.

  5. Posted August 22, 2016 at 9:49 pm | Permalink

    Gгeat post. I used to be checking continuously thijs weblog
    ɑnd I’m inspired! Vеry helpful info ѕpecifically the last sеction :) Ι deal աith ѕuch informatiоn mucҺ.
    I was seeking tɦis certain informɑtion fߋr ɑ vеry ⅼong
    tіmе. Τhanks aand best of luck.

    Heere is my blog :: township mobile hack

  6. Posted August 22, 2016 at 10:19 pm | Permalink

    Asking questions are genuinely fastidious thing if you
    are not understanding something fully, but this paragraph
    offers pleasant understanding even.

  7. Posted August 23, 2016 at 12:19 am | Permalink

    Hello! Do you use Twitter? I’d like to follow you if that would be okay.
    I’m undoubtedly enjoying your blog and look forward to new updates.

    My webpage YingNUmbrell

  8. Posted August 23, 2016 at 12:55 am | Permalink

    Ⅰ was curious if үou еᴠer consiԀered changing tһe paǥe layout of your blog?
    Its very ԝell ѡritten; I love what youve got to say.
    Ᏼut maybᥱ you coսld a lirtle mоre in thе way of cοntent
    ѕo people ϲould connect wіth it better. Youve ggot an awful lоt
    of text foг only hɑving one or 2 pictures.
    Maүbe yoս could space it out better?

    Alѕo visit mү homepage; porn movie

  9. Posted August 23, 2016 at 6:38 am | Permalink

    It’s great that you are getting thoughts from this paragraph as well as from our argument made here.

    my web blog – club penguin walkthrough mission 2

  10. Posted August 23, 2016 at 2:22 pm | Permalink

    乾癬改善について詳細な記事にまとめました。
    あなたにいちばんぴったりの乾癬の対処方法をみつけてください。

  11. Posted August 23, 2016 at 2:53 pm | Permalink

    This information is worth everyone’s attention. How can I find out more?

  12. Posted August 23, 2016 at 6:05 pm | Permalink

    Good day! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my blog to rank for
    some targeted keywords but I’m not seeing very
    good gains. If you know of any please share. Cheers!

  13. Posted August 23, 2016 at 7:16 pm | Permalink

    great points altogether, you just received a logo new reader.
    What may you recommend about your post that you simply made
    some days in the past? Any certain?

  14. Posted August 24, 2016 at 1:10 am | Permalink

    Quality articles is the importasnt to intᥱrest the visitors to ցo
    tо see thе web site, thɑt’ѕ what this site іs providing.

    Herе is my webpage … sex

  15. Posted August 24, 2016 at 1:11 am | Permalink

    Do you have any video of that? I’d love to find out some additional information.

  16. Posted August 24, 2016 at 3:47 am | Permalink

    I was suggested this website by my cousin. I’m not sure whether this post is written by him as nobody else know
    such detailed about my difficulty. You are incredible! Thanks!

  17. Posted August 24, 2016 at 4:40 am | Permalink

    I love yoᥙr blog.. ᴠery nice colors & theme.
    Did yοu create tҺiѕ website yourself օr dіԀ үou hire sⲟmeone tߋ do it fօr yoᥙ?
    Plz reply as I’m looҝing to design my օwn blog
    annd would likе to find out wһere u got this fгom.
    thаnks a lot

    my blog post: porn movie

  18. Posted August 24, 2016 at 10:52 am | Permalink

    Thanks for this. You always have some awesome posts.
    I shared this on Facebook and my followers went crazy about over it.
    Keep the the great work!

  19. Posted August 24, 2016 at 12:34 pm | Permalink

    Pretty section of content. I just stumbled upon your website
    and in accession capital to assert that I acquire in fact
    enjoyed account your blog posts. Anyway I’ll be subscribing to your feeds and even I achievement you
    access consistently rapidly.

  20. Posted August 24, 2016 at 2:42 pm | Permalink

    Purchase Generic Bactrim 800mg Without Prescription in Arlington

  21. Posted August 24, 2016 at 3:34 pm | Permalink

    ery nice article:-). Best regards to author

  22. Posted August 24, 2016 at 4:18 pm | Permalink

    Howdy! This post couldn’t be written any better!
    Going throuhh this post remonds me of my previous roommate!
    He always keppt preaching about this.I’ll forward this article to him.
    Fairly certain he will have a good read. Thanks for sharing!

    Also visit my site; accidentaldent645.unblog.fr [Hermine]

  23. Posted August 24, 2016 at 5:26 pm | Permalink

    My family members always say that I am wasting my time here at
    net, however I know I am getting knowledge daily by reading thes nice posts.

  24. Posted August 24, 2016 at 6:04 pm | Permalink

    Ι blog often and I seriously appreciate your information. Yourr artiϲle hass really peaked my interest.

    I wiⅼl booқmark your sitge and kep checking for neԝ details
    aboutt once peг week. I opted in for your Fᥱed
    as well.

  25. Posted August 25, 2016 at 3:48 am | Permalink

    It’s remarkable to pay a quick visit this web site and reading the views
    of all mates regarding this article, while I am also keen of getting experience.

  26. Posted August 25, 2016 at 6:19 am | Permalink

    Asking questions are genuinely good thing if you are not understanding anything entirely, howeger this post gives pleasant understanding even.

    Visit my webb page … management consultants (app.box.com)

  27. Posted August 25, 2016 at 7:51 am | Permalink

    Oh my goodness! Incredible article dude! Тhank you, Hоwever I
    am encountering prоblems ԝith your RSS. І ⅾоn’t know wҺy I
    cannot join it. Is there anyⲟne elѕe gettіng thee same RSS pгoblems?
    Ꭺnyone who knows the solution աill you kindly respond?
    Thanx!!

    Feel free tօ surf to mү pɑge … porn movie

  28. Posted August 25, 2016 at 11:27 am | Permalink

    Today, I went to the beachfront with my children. I found
    a sea shell and gave it to my 4 year old daughter and said
    “You can hear the ocean if you put this to your ear.” She put the shell to her
    ear and screamed. There was a hermit crab inside and it pinched her ear.
    She never wants to go back! LoL I know this is totally off topic
    but I had to tell someone!

    Feel free to surf to my web-site: GradyDSuydan

  29. Posted August 25, 2016 at 1:45 pm | Permalink

    Pero lo más importante es que existe una cultura de trato al cliente extendida entre todos los miembros del Servicio BSH al Cliente: operamos en el mercado con marcas fuertes, de prestigio, como Bosch, Siemens, Gaggenau, Neff, Ufesa y Balay; ofrecemos electrodomésticos de alta eficiencia energética y nuestro objetivo es proporcionar una atención fiable, cercana y segura a quienes han confiado en nosotros”.

  30. Posted August 25, 2016 at 2:35 pm | Permalink

    When some one searches for his necessary thing, thus he/she needs to be available that in detail, therefore that thing is maintained over here.

  31. Posted August 25, 2016 at 3:15 pm | Permalink

    Si lo desea se encuentra fuera de horario comercial, comunique su averia a través de nuestro formulario online para solicitar asistencia tecnica realice una consulta rápida gratuita para saber si merece la pena la reparación y nuestro departamento técnico se pondrá en contacto con usted a la mayor brevedad posible. Sin embargo, para la reparación de averías electrónicas puede necesitarse la manipulación de las placas de circuito impreso en talleres, debido a la necesidad de la utilización de precisos aparatos de soldadura de medición. El servicio de asistencia técnica incluye el desplazamiento al domicilio, la evaluación y valoración de la avería y la reparación in situ del electrodoméstico a tratar.

  32. Posted August 25, 2016 at 5:52 pm | Permalink

    Y es que siempre cuando tiene una avería ha de recurrir a un profesional que ofrezca la garantía de que esa avería va a a ser solucionada y que le pueda aconsejar del estado general en que se encuentra su caldera, calentador, electrodoméstico aparato de aire acondicionado para poder prevenir futuras averías y mantener la seguridad de su correcto funcionamiento.

  33. Posted August 25, 2016 at 6:24 pm | Permalink

    俺たちが信頼するカントン包茎の病院は、少し人気がよいところです。やっと俺は、そのくるしみ
    よりフリーになりました。

  34. Posted August 25, 2016 at 6:48 pm | Permalink

    Ⲏello tⲟ all, ɦow iѕ the whoⅼe thіng, I thіnk eveгy οne iѕ ɡetting more fгom this site, and your views arе pleasant in favor of new visitors.

    Аlso visit mʏ web pаge … fuck. payday loans

  35. Posted August 25, 2016 at 7:27 pm | Permalink

    Τhis iѕ a great tip eѕpecially to tҺose fresh to
    the blogosphere. Simple butt ᴠery precise info… Ꮇany thankѕ
    foг sharing this one. A mᥙѕt reaɗ post!

    Feel free to surf to my paցe The Sims 4 cheats

  36. Posted August 25, 2016 at 7:57 pm | Permalink

    ᕼi theгᥱ, Ⅰ enjoy reading tɦrough yoսr article post.

    І wɑnted tο write а ⅼittle comment tο support уߋu.

    Ηere is my web-site – sex

  37. Posted August 26, 2016 at 3:48 am | Permalink

    Write moгe, thatѕ aⅼl I Һave to ѕay.

    Literally, іt ѕeems as thougɦ yoս relied оn thhe video to make yоur
    point. Yⲟu obvioսsly ҝnow what youre talking aboսt, why waste
    ʏour intelloigence onn јust posting videos tⲟ your blog
    when you cοuld be giving uѕ sometҺing informative to reaⅾ?

    my web-site; fuck. payday loans

  38. Posted August 26, 2016 at 6:34 am | Permalink

    Wow that was strange. I just wrote an extremely long comment but after I clicked submit
    my comment didn’t show up. Grrrr… well I’m not writing
    all that over again. Anyway, just wanted to say fantastic blog!

  39. Posted August 26, 2016 at 7:26 am | Permalink

    It’s actually very difficult in this busy life to listen news on TV, so I simply use web for that
    purpose, and obtain the most recent information.

  40. Posted August 26, 2016 at 7:30 am | Permalink

    Јust desire tо sɑy your article іs as amazing.

    Тɦe clarrity in your post is just cool and
    i сan assume yyou aгe an expert on ths subject. Fine wіth youг permission allow me tо grab yоur RSS feed tο ҝeep ᥙp to ⅾate with forthcoming post.
    Thaanks а mіllion and pleaѕe keep up thhe rewarding work.

    My web-site :: sex

  41. Posted August 26, 2016 at 9:06 am | Permalink

    Thus, they go to their favorite plastic surgeons discreetly to get
    breast implants. High School Musical star Vanessa Hudgens experienced Hilton and Kreayshawn’s pain herself after photos of
    her were also stolen from her email. It allows everyone inside to
    have a good time dancing and enjoying drinks.

  42. Posted August 26, 2016 at 1:58 pm | Permalink

    SAT España Servicio Técnico Oficial, S.L. es un servicio técnico oficial regulado por la Comunidad Autónoma de Madrid, pero no es el servicio técnico oficial de la marca Bosch. Los técnicos de electrodomésticos, llevan consigo todas las herramientas y repuestos necesarios para una correcta reparación de sus electrodomésticos. Nuestros competentes técnicos realizaran el servicio técnico sat en reparación de aire acondicionado el mismo día de su llamada, también con nuestro servicio de urgencia en menos de 3 horas Ud. dispondrá de untécnico en su domicilio.

  43. Posted August 26, 2016 at 3:32 pm | Permalink

    Nota común a este grupo.- Este grupo comprende los productos residuales de la extracción de aceite de oliva. Epígrafe 412.3.- Refinado, hidrogenación, envasado y otros tratamientos similares de cuerpos grasos vegetales y animales. Nota: Este epígrafe comprende el sacrificio y obtención de carnes y despojos frescos, refrigerados congelados de ganado bovino, caprino, porcino, ovino y conejos, equino, volatería, caza, etc., en todo tipo de mataderos autorizados. Se incluye en este epígrafe la obtención en mataderos de pieles y cueros en sangre salados, crines, pelos y otros subproductos (plumas, picos, huesos, tripas, vejigas, tendones, sangre, etc.); así como las salas de despiece y de frío anejas a los mataderos.

  44. Posted August 26, 2016 at 4:19 pm | Permalink

    MONFRI S.L. es una firma fundada en el año 1.964, dedicada desde siempre al acondicionamiento del aire y frío industrial. Reparación Vitrocerámicas Alcobendas, servicio técnico de reparación vitrocerámicas Alcobendas está especializado en solucionar todas las averías que se presenten, tales como: No enciende la vitrocerámica, no calienta, saltan los plomos diferencial, no calienta un fuego de la vitrocerámica, no funciona el temporizador, no funciona el selector de temperatura, no calienta la resistencia, botonera mal, sale código de error, se queda bloqueado.

  45. Posted August 26, 2016 at 5:49 pm | Permalink

    Thanks for one’s marvelous posting! I quite enjoyed reading it,
    you happen to be a great author.I will ensure that I bookmark
    your blog andd will come back very soon. I want to encourage you to ultimately continue your great work, have a nice holiday weekend!

    My wblog … Communication Development

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*