Login/Register
How do I block requests for all *.php, *.cgi, etc. pages from inside an ASP.NET MVC 1.0 app hosted in IIS7?
Asked Answered
Solved asp.net-mvcignoreroute
M

4

15

I'd like to block requests to any .php or .cgi regardless of the pathing information.

For example, when the following url is used:

http://mysite/Admin/Scripts/Setup.php

It matches an existing route:

routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });

However there is no controller for scripts so MVC throws the following:

The IControllerFactory '' did not return a controller for a controller named 'scripts'.

What I'd really prefer is that the request is simply met with a hard fail before MVC ever got to the controller.

I know that I can do this by hooking the Application_BeginRequest in the Global.asax and throwing a new HttpException(404, "Not Found") but that's not quite the elegant solution I'm looking for.

I was really hoping that this would work:

routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");

But it doesn't.

NOTE: Sean Lynch's answer works great but I still would really like a System.Web.Routing or System.Web.Mvc based solution. That way I can allow my users to add their own exclusions at runtime.

Milligan answered 8/10, 2009 at 17:44 Comment(1)
This isn't an answer but I would certainly play around with Phil Haack 's route debugger. haacked.com/archive/2008/03/13/url-routing-debugger.aspx It will let you know what route takes whatever url you are testing. Also I would look into disabling existing file mappingBanneret
W
11

If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

Update here is what you would put into your web.config in the system.webserver section:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
Windpollinated answered 8/10, 2009 at 17:51 Comment(8)
I second that. Use the AbortRequest action type and the request will never get any further.Crore
Can URL Rewrite module rules be added from within my application, or from within the application directory on the disk or must I use IIS Manager to configure them?Milligan
You can define the rules in the web.config of your application, so don't need to use IIS Manager to configure them. However, I am not sure of the exact XML that would be used though. I don't have access to IIS Manager right now to try it out.Windpollinated
But I have done it was the path rewriting, and just copied the web.config up.Windpollinated
I have added the code for the web.config that IIS Manager generated.Windpollinated
I have investigated this and I like it. In the process I also looked at the Request Filtering module and I actually like that better. It's much simpler to configure and highly effective. I'm not 100% sure but it may even run earlier in the pipeline than the URL Rewrite module.Milligan
This answer works great but I would really like a System.Web.Routing or System.Web.MVC solution to this.Milligan
Well, after a few days of messing around with other approaches I like this one the best, by far! It's convenient, not messy, doesn't require a recompile (well, outside of what ASP.NET does on it's own) and built-in (so well supported). I haven't figured out if I can programmatically add new rules on the fly, but that's not a critical requirement.Milligan
C
16

I know this is an old post but if you're looking for an ignore route for php requests (and some others) including requests within sub folders then I have found the code below works well (adapted from the ignore routes post from Phil Haack)

I also added a specific ignore route for the occasional apple touch icon request (using a wildcard for the different dimensions) and allowed for the different file extensions for the favicon (Google toolbar and some other browsers look for png and gif favicons).

Of course you could add an ignore route for all image file extensions but in my case I still want to route some of the other requests. 

routes.IgnoreRoute("{*allphp}", new { allphp = @".*\.php(/.*)?" });
routes.IgnoreRoute("{*allcgi}", new { allcgi = @".*\.cgi(/.*)?" });
routes.IgnoreRoute("{*allaspx}", new { allaspx = @".*\.aspx(/.*)?" });

routes.IgnoreRoute("{*favicons}", new { favicons = @".*favicon\.(ico|gif|png)(/.*)?" });
routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-.*\.png(/.*)?" });

Despite having these ignore routes, I still think that using request blocking for php files is preferable if you have access to do it.

Compatriot answered 9/11, 2011 at 18:50 Comment(1)
Just a little note about the apple-touch-icon, the RegEx to use should be routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-?.*\.png(/.*)?" }); because your version wasnt excluding the apple-touch-icon.pngCamarata
W
11

If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

Update here is what you would put into your web.config in the system.webserver section:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
Windpollinated answered 8/10, 2009 at 17:51 Comment(8)
I second that. Use the AbortRequest action type and the request will never get any further.Crore
Can URL Rewrite module rules be added from within my application, or from within the application directory on the disk or must I use IIS Manager to configure them?Milligan
You can define the rules in the web.config of your application, so don't need to use IIS Manager to configure them. However, I am not sure of the exact XML that would be used though. I don't have access to IIS Manager right now to try it out.Windpollinated
But I have done it was the path rewriting, and just copied the web.config up.Windpollinated
I have added the code for the web.config that IIS Manager generated.Windpollinated
I have investigated this and I like it. In the process I also looked at the Request Filtering module and I actually like that better. It's much simpler to configure and highly effective. I'm not 100% sure but it may even run earlier in the pipeline than the URL Rewrite module.Milligan
This answer works great but I would really like a System.Web.Routing or System.Web.MVC solution to this.Milligan
Well, after a few days of messing around with other approaches I like this one the best, by far! It's convenient, not messy, doesn't require a recompile (well, outside of what ASP.NET does on it's own) and built-in (so well supported). I haven't figured out if I can programmatically add new rules on the fly, but that's not a critical requirement.Milligan
W
0

I found How to ignore route in asp.net forms url routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.

If the .php requests are not going through the routing handler then this probably wouldn't work.

Windpollinated answered 8/10, 2009 at 20:4 Comment(0)
O
0

You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.

Opportunist answered 9/10, 2009 at 2:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.