ASP.NET MVC默认情况下PUT是否被破坏? [英] Is PUT broken by default in ASP.NET MVC?
问题描述
我创建了一个新的ASP.NET MVC项目,更新了NuGet包(到< package id =Microsoft.AspNet.Mvcversion =5.2.3targetFramework =net451/> ; )并添加了一个控制器:
public class HomeController:Controller
{
[AcceptVerbs(HttpVerbs.Get | HttpVerbs.Put | HttpVerbs.Post)]
public string Index()
{
returnbombaclat;
}
}
我在IIS Express上运行它并发现PUT从IIS StaticFile处理程序返回404(GET和POST都可以正常工作)。
我可以通过允许 ExtensionlessUrlHandler的所有动词修复它:
< system.webServer>
< handlers>
< remove name =ExtensionlessUrlHandler-Integrated-4.0/>
< add name =ExtensionlessUrlHandler-Integrated-4.0path =*。 verb =*type =System.Web.Handlers.TransferRequestHandlerpreCondition =integratedMode,runtimeVersionv4.0/>
< / handlers>
< /system.webServer>
或者通过为每个请求运行 UrlRoutingModule :
< system.webServer>
< modules>
< remove name =UrlRoutingModule-4.0/>
< add name =UrlRoutingModule-4.0type =System.Web.Routing.UrlRoutingModulepreCondition =/>
< / modules>
< /system.webServer>
(因此,将RAMMFAR设置为true也会起作用)
- 我是否需要弄乱Web.config以使PUT
工作? - 是解决方案吗?当量?如果不是,有什么区别,我应该如何决定使用哪一个?
- 是否有原因禁用PUT
ExtensionlessUrlHandler默认情况下?
(以防万一:我使用的是Windows 8.1 Enterprise,VS 2013,IIS 8)。
UPD:如果在创建项目时勾选 WebApi ,VS将添加 ExtensionlessUrlHandler 配置部分。所以,我想使用它是安全的
我从来没有见过其他提到的安全问题,但问题是我自己和其他人同事遇到(通常每人一次:))是Slicksim提到的WebDAV问题
您可以在web.config中尝试这个:
< system.webServer>
< modules>
< remove name =WebDAVModule/>
< / modules>
< handlers>
< remove name =WebDAV/>
< remove name =ExtensionlessUrlHandler-Integrated-4.0/>
< remove name =OPTIONSVerbHandler/>
< remove name =TRACEVerbHandler/>
< add name =ExtensionlessUrlHandler-Integrated-4.0path =*。 verb =*type =System.Web.Handlers.TransferRequestHandlerpreCondition =integratedMode,runtimeVersionv4.0/>
< / handlers>
<! - 所有其他网络服务器的东西 - >
< /system.webServer>
我想你也可以从你的IIS中完全删除WebDAV,但我认为上面就足够了。 / p>
I created a new ASP.NET MVC project, updated NuGet packages (to <package id="Microsoft.AspNet.Mvc" version="5.2.3" targetFramework="net451" />
) and added a controller:
public class HomeController : Controller
{
[AcceptVerbs(HttpVerbs.Get | HttpVerbs.Put | HttpVerbs.Post)]
public string Index()
{
return "bombaclat";
}
}
I ran it on IIS Express and found out that PUT returns 404 from IIS StaticFile handler (both GET and POST works just fine).
I can fix it either by allowing all verbs for ExtensionlessUrlHandler:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Or by running UrlRoutingModule for every request:
<system.webServer>
<modules>
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" />
</modules>
</system.webServer>
(and so, setting RAMMFAR to true will work as well)
- Is it by design that I need to mess with Web.config to make PUT work?
- Are the solutions equivalent? If no, what are the differences, and how should I decide which one to use?
- Is there a reason PUT is disabled for
ExtensionlessUrlHandlerby default?
(just in case: I'm on Windows 8.1 Enterprise, VS 2013, IIS 8).
UPD: If you tick WebApi when creating the project, VS will add the ExtensionlessUrlHandler config part. So, I guess it's safe to use it
I have never seen other mentions of security, but the issue I myself and other colleagues have run into (usually once per person :)) is the WebDAV issue mentioned by Slicksim
You could try this in your web.config:
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<!--all the other webserver stuff -->
</system.webServer>
I suppose you could also remove WebDAV completely from your IIS, but I think the above is enough.
这篇关于ASP.NET MVC默认情况下PUT是否被破坏?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
