C# 启用双重转义危险吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1453218/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is Enabling Double Escaping Dangerous?
提问by Alex
I have an ASP.NET MVC application with a route that allows searching for stuff via /search/<searchterm>.
我有一个 ASP.NET MVC 应用程序,其路由允许通过 /search/<searchterm> 搜索内容。
When I supply "search/abc" it works well, but when I supply "/search/a+b+c" (correctly url encoded) then IIS7 rejects the request with HTTP Error 404.11 (The request filtering module is configured to deny a request that contains a double escape sequence). FIrst of all, why does it do this? It only seems to throw the error if it is part of the URL, but not as part of a query string ( /transmit?q=a+b+c works fine).
当我提供“search/abc”时,它运行良好,但是当我提供“/search/a+b+c”(正确的 url 编码)时,IIS7 拒绝了 HTTP 错误 404.11的请求(请求过滤模块被配置为拒绝包含双转义序列的请求)。首先,它为什么要这样做?如果它是 URL 的一部分,它似乎只会抛出错误,而不是作为查询字符串的一部分( /transmit?q=a+b+c 工作正常)。
Now I could enable double escape requests in the security section of my web.config but I'm hesitant to do so as I don't understand the implications, and neither why the server would reject the request "a+b+c" as part of the URL but accept as part of a query string.
现在我可以在我的 web.config 的安全部分启用双重转义请求,但我很犹豫,因为我不明白其中的含义,也不明白为什么服务器会拒绝请求“a+b+c”作为URL 的一部分,但接受作为查询字符串的一部分。
Can someone explain and give some advice what to do?
有人可以解释并给出一些建议该怎么做吗?
采纳答案by Eamon Nerbonne
Edit:Added emphasis to relevant sections.
编辑:增加了对相关部分的强调。
Basically: IIS is being excessively paranoid. You can safely disable this check if you're not doing anything particularly unwise with the uri decoded data (such as generating local filesystem URI's via string concatenation).
基本上:IIS 过于偏执。如果您没有对 uri 解码数据执行任何特别不明智的操作(例如通过字符串连接生成本地文件系统 URI),则可以安全地禁用此检查。
To disable the check do the following (from here): (see my comment below for what double escaping entails).
要禁用检查,请执行以下操作(从此处):(有关双重转义的内容,请参阅下面的评论)。
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true"/>
</security>
</system.webServer>
If the plus symbol is a valid character in a search input, you will needto enable "allowDoubleEscaping" to permit IIS to process such input from the URI's path.
如果加号是搜索输入中的有效字符,则需要启用“allowDoubleEscaping”以允许 IIS 处理来自 URI 路径的此类输入。
Finally, a very simple, if limited workaround is simply to avoid '+' and use '%20' instead. In any case, using the '+' symbol to encode a space is notvalid url encoding, but specific to a limited set of protocols and probably widely supported for backwards-compatibility reasons. If only for canonicalization purposes, you're better off encoding spaces as '%20' anyhow; and this nicely sidesteps the IIS7 issue (which can still crop up for other sequences, such as %25ab.)
最后,一个非常简单但有限的解决方法是避免使用“+”并使用“%20”代替。 在任何情况下,使用“+”符号对空格进行编码都不是有效的 url encoding,而是特定于一组有限的协议,并且可能出于向后兼容性原因而得到广泛支持。如果只是为了规范化的目的,无论如何最好将空格编码为 '%20';这很好地回避了 IIS7 问题(对于其他序列,例如 %25ab,它仍然会出现。)
回答by Charlino
Have you thought about having the search URL like '/search/a/b/c'?
你有没有想过像'/search/a/b/c'这样的搜索URL?
You'd need to setup a route like
你需要设置一个像
search/{*path}
And then extract the search values from your path string in the action.
然后从操作中的路径字符串中提取搜索值。
HTHs
Charles
HTH
查尔斯
回答by mhenry1384
I ran into this under IIS 7.5 doing a Server.TransferRequest() in an application.
我在 IIS 7.5 下在应用程序中执行 Server.TransferRequest() 时遇到了这个问题。
Encoding the filename caused the double-escape problem, but if I didn't encode it then I'd run into the "potentially dangerous Request.Path"error.
对文件名进行编码会导致双重转义问题,但如果我没有对其进行编码,则会遇到 “潜在危险的 Request.Path”错误。
Putting an any protocol, even an empty one, on the URL I pass to Server.TranferRequest() fixed the problem.
在我传递给 Server.TranferRequest() 的 URL 上放置任何协议,甚至是空协议都解决了这个问题。
Does not work:
不起作用:
context.Server.TransferRequest("/application_name/folder/bar%20bar.jpg");
Works:
作品:
context.Server.TransferRequest("://folder/bar%20bar.jpg");
回答by Sk8erPeter
I would just like to addsome information to Eamon Nerbonne's answerrelated to the "what to do" part of your question (not explaining the whys).
You can easily change a particular application's settings too with
我只想在Eamon Nerbonne 的回答中添加一些与您问题的“做什么”部分相关的信息(不解释原因)。
您也可以使用以下命令轻松更改特定应用程序的设置
- opening the console with admin rights(Start - cmd - right click, Run as administrator)
typing in the following (taken from here: http://blogs.iis.net/thomad/archive/2007/12/17/iis7-rejecting-urls-containing.aspx):
%windir%\system32\inetsrv\appcmd set config "YOURSITENAME" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true(you can e.g. substitute
YOURSITENAMEwithDefault Web Sitefor applying this rule to the default website)- Enter, ready.
- 以管理员权限打开控制台(开始 - cmd - 右键单击,以管理员身份运行)
输入以下内容(取自此处:http: //blogs.iis.net/thomad/archive/2007/12/17/iis7-rejecting-urls- contains.aspx):
%windir%\system32\inetsrv\appcmd set config "YOURSITENAME" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true(例如
YOURSITENAME,您可以替换Default Web Site为将此规则应用于默认网站)- 进入,准备好了。
An example:
一个例子:
- firstly I had the same problem:
- Typing in the text mentioned above:
- Now it works as expected:
- 首先我遇到了同样的问题:
- 输入上面提到的文本:
- 现在它按预期工作:
