Login/Register
ASP.NET MVC4... is "BIN" a reserved keyword?
Asked Answered
Solved c#asp.net-mvcasp.net-mvc-4iisasp.net-routing
H

1

11

I have a stock query application that returns data based upon a stock symbol.

Basically, the AJAX call goes to ~/Stocks/GetStockData/{id} where the {id} is the stock symbol.

This works fine... generally. Today I found that the stock "Progressive Waste Solutions Ltd.", which has a symbol of BIN, blew up. Looking at the return data in the browser, I see it's returning a 404 for this symbol.

It occurred to me that BIN might be a reserved word, asking for some binary file or something. Is this the case? How do I work around this without a whole lot of effort? Are there other keywords that will also cause this problem?

UPDATE

Per Artyom Neustroev, this could be a reserved keyword, and would be protected from routing to. He referenced an article which referenced a website which stated the way around this was to add the following configuration setting in the config file:

<configuration>
  <system.web>
    <httpRuntime relaxedUrlToFileSystemMapping="true"/>

    <!-- ... your other settings ... -->
  </system.web>
</configuration>

...which got me further. Upon running my site with this, the ajax call returned a 404.8 error:

HTTP Error 404.8 - Not Found
The request filtering module is configured to deny a path in the URL that contains a hiddenSegment section.

OK, this actually sorta makes sense. The routing was set to prevent someone from getting into my bin directory, and I approve of that sort of prevention.

So I'm wondering how to tell a particular group of methods that getting stuff like BIN, or CONFIG (theoretically) is ok if there is a defined route for it?

Haustellum answered 12/4, 2014 at 12:44 Comment(7)
I strongly doubt that. You're just transmitting a string value, nothing should interpret that as something else. Have you got any internal error messages that could help us?Hennery
This is actually possible. See this question: #6195124Devinna
Yep. It's related to the security filter which protects internal ASP.NET files such as web.config and the Bin folder. According to the linked blog post by Phil Haack, using relaxed URL rules should be a workaround.Latrena
Is there any source on that? The above source and this one only refer to that list of COM1-9, LPT1-9, AUX, PRT, NUL, CON.Hennery
Hmmm... adding that config gets me to HTTP Error 404.8 - Not Found The request filtering module is configured to deny a path in the URL that contains a hiddenSegment section.Haustellum
@JeremyHolovacs take a look at this. The bin keyword is also there by default, I guess.Devinna
Yeah, that would require me to expose my bin directory I think... something to be avoided. I think I may be able to avoid that by making the AJAX call a POST instead of a GET.Haustellum
H
10

So here is a synopsis:

The routing mechanism takes into account hidden directories and files (like web.config, /bin, etc) and hides them from people. For some of these, the rules can be relaxed a bit, as they are handled in code. These "keywords" are: CON, COM1, COM2, COM3, COM4, LPT1, LPT2, AUX, PRN, and NUL. These can actually be referenced with a change to your web.config file as such:

<configuration>
  <system.web>
    <httpRuntime relaxedUrlToFileSystemMapping="true"/>

    <!-- ... your other settings ... -->
  </system.web>
</configuration>

However, the other type of hidden keywords are not managed in code, but rather in IIS. You have two options for these. You can modify the IIS settings as suggested by Artyom Neustroev (he links to this), which strikes me as a little dangerous, but I expect it would work.

The other option, the one I went with, was to change my AJAX call to a POST method. Then the value is not in the URL, and the whole issue is circumvented.

Thanks to everyone that got me to this point.

Haustellum answered 12/4, 2014 at 13:45 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.