打开relaxedUrlToFileSystemMapping以允许以“。”结尾的URL的任何潜在安全风险？ [英] Any potential security risks with turning on relaxedUrlToFileSystemMapping to allow URLs having part ending with '.'?

问题描述

我们遇到的问题是，当网址中的任何部分以'。'结尾时，我们的应用程序会失败';由于功能要求，我们无法避免这种情况。建议的解决方案是在web.config文件中打开relaxedUrlToFileSystemMapping。我们想知道这种方法是否存在任何潜在的安全风险。

We are having an issue where our application fails when the URL has any part ending with '.' in it'; we can't avoid this due to functional requirements. The suggested solution is to turn on relaxedUrlToFileSystemMapping in web.config file. We would like to know if there are any potential security risks with this approach.

URL失败的格式： http://server.com/path1/krishnakk./path2

Format of failing URL: http://server.com/path1/krishnakk./path2

它返回404错误。

推荐答案

即使这个问题已有七个月了，如果有其他人遇到这种情况，也可以给出答案。

Even though this question is seven months old, here's an answer in case anyone else comes across a situation like this.

关于问题的安全部分，默认情况下 relaxedUrlToFileSystemMapping 设置为false，ASP .NET假定URL的路径部分是有效的NTFS文件路径。如果通过将 relaxedUrlToFileSystemMapping 设置为true来禁用此功能，那么您可能会打开站点以进行攻击，因为您正在禁用ASP .NET提供的默认保护。

Regarding the security part of the question, by default relaxedUrlToFileSystemMapping is set to false, and ASP .NET assumes that the path portion of a URL is a valid NTFS file path. If you disable this by setting relaxedUrlToFileSystemMapping to true, then you are potentially opening your site up to attack because you're disabling the default protection provided by ASP .NET.

如果您绝对需要将 relaxedUrlToFileSystemMapping 设置为true，那么您还应该确保验证约束中的所有URL您的应用程序的要求。

If you absolutely need to set relaxedUrlToFileSystemMapping to true you should also be sure that you validate all URLs within the constraints of your application's requirements.

这篇关于打开relaxedUrlToFileSystemMapping以允许以“。”结尾的URL的任何潜在安全风险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！