Login/Register
ASP.NET 4 URL limitations: why URL cannot contain any %3f characters
Asked Answered
Solved urlasp.net-4.0
V

3

9
http://site.com/page%3fcharacter

This URL will return the following error:

Illegal characters in path.

I'm already put this in web.config:

<system.web>
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
<pages validateRequest="false"> 
...

How can I fix this error?

Vergara answered 14/5, 2010 at 0:30 Comment(0)
R
29

If you want to allow the request through, you need to add requestPathInvalidCharacters and set it to an empty string:

<system.web>
    <httpRuntime requestPathInvalidCharacters="" />
</system.web>

Edit You should leave your original question in place, because now my answer does not make sense.

But in answer to your second question, that it's because %3f corresponds to '?' which is not allowed in file names on Windows. You can set the relaxedUrlToFileSystemMapping property to true to change this behaviour:

<system.web>
    <httpRuntime requestPathInvalidCharacters=""
                 relaxedUrlToFileSystemMapping="true" />
</system.web>

You might want to look through all of the properties in the HttpRuntimeSection class to see if there's any others that might apply.

You can also implement a sub class of RequestValidator and set up your web.config to use your subclass (that will presumably allow all URLs through?). Personally, I wouldn't bother and just let the built-in classes handle it. It's unlikely that a normal user is every going to accidentally type in "%3f" in a path, and why bother going to so much trouble to improve the use-case for malicious users?

This, by the way, is actually a new feature in ASP.NET 4, which is why Stack Overflow doesn't spit out an error: it's running on .NET 3.5.

Retch answered 14/5, 2010 at 0:37 Comment(4)
That solved the problem. but I get another error for another url. I will edit the question.Vergara
1. Rewrite the path. 2. return a blank page (or custom error page). 3. redirect to home page. I want to have the power to decide how to respond to this kind of error.Vergara
Can I have integration tests for this? #2831575Vergara
hi,I have used "relaxedUrlToFileSystemMapping="true"",but this could not run in live,only working in mylocalGecko
K
14

Here's a nice article by Hanselman explaining all the nooks and crannies related to your issue:

Experiments in Wackiness: Allowing percents, angle-brackets, and other naughty things in the ASP.NET/IIS Request URL

Kristankriste answered 9/7, 2010 at 12:40 Comment(0)
S
2

Probably because that looks a lot like a malformed url.

& is used as a separator for the query string parameters i.e. site.com/page?some=20&another=15

Schug answered 14/5, 2010 at 0:33 Comment(1)
That's right. but imagine that someone post a url like this to your site and the user see an error like this... this confusing!Vergara

© 2022 - 2024 — McMap. All rights reserved.