HTTP模块截获请求，并打破了自定义错误配置 [英] HTTP Module intercept requests and breaks custom errors configuration

问题描述

我有在IIS 8.5和部署后在本地运行，在Azure网站的ASP.NET MVC 5 Web应用程序 - 在这两种情况下，将在后面描述的行为是一样的。

。

我在web.config配置以下的自定义错误页管理（它涵盖了我的自定义错误的所有情况下，它已经过测试，它的工作伟大）：

 ＆LT; system.webServer＆GT;
  ＆LT; httpErrors errorMode =自定义existingResponse =替换＆GT;
    ＆LT;清/＆GT;
    ＆LT;错误状态code =400responseMode =ExecuteURL路径=/应用/错误/＆GT;
    ＆LT;错误状态code =403responseMode =ExecuteURL路径=/应用/错误/禁止/＆GT;
    ＆LT;错误状态code =404responseMode =ExecuteURL路径=/应用/错误/ NOTFOUND/＆GT;
    ＆LT;错误状态code =500responseMode =ExecuteURL路径=/应用/错误/＆GT;
  ＆LT; / httpErrors＆GT;
＆LT; /system.webServer>
 

另外，我有同样的Web.config中配置一个像这样的HTTP模块：

 ＆LT; system.webServer＆GT;
＆LT;模块＆gt;
  ＆LT;添加名称=ImageProcessorModuleTYPE =ImageProcessor.Web.HttpModules.ImageProcessingModule，ImageProcessor.Web/＆GT;
 ＆LT; /模块＆gt;
＆LT; /system.webServer>
 

这是我的问题是这样的：如果我做喜欢到一个陌生的URL请求 ... / C＆LT; ，应用程序执行的500定制在web.config文件中指示错误的路径。
但是，如果我在做一个陌生人URL的请求（模拟一个html标记），如 ... / c为C ，虽然导致错误500，不再被执行自定义错误，因为据此来详细的错误，HTTP模块可以截取电话和决定只显示YSOD ...

这是我得到的消息是：

  

从客户端（=/应用程序/检测到有潜在危险的Request.RawUrl值

和很容易看出，这是由webmodule因为堆栈跟踪的原因造成的：

  

[Htt的prequestValidationException（0X80004005）：从客户端检测到潜在危险Request.RawUrl值（=/应用/ d__10.MoveNext（）+201
         System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）+144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification（任务任务）+84
         System.Web.TaskAsyncHelper.EndTask（IAsyncResult的AR）+98
                         System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute（）434
         System.Web.HttpApplication.ExecuteStep（IExecutionStep一步，布尔和放大器; completedSynchronously）+ 288

如果我从web.config注释掉图像处理器模块，符合市场预期一切运行。

为什么在这种情况下，自定义错误的路径没有得到执行？

感谢您的时间和答案。

解决方案

我非常强烈怀疑这是图像处理器。

据报道，客户依赖（为一把umbraco模块）完全相同的问题，它，而完全无关，是同类的，因为它是访问 Context.Request.RawUrl 在请求管道的同台演出。

您有两种选择： -

1. 找到一种方法来设置 runAllManagedModulesForAllRequests =FALSE在不影响您的HTTP模块的行为




2. 看看你是否可以提交一个补丁<一个href=\"https://github.com/JimBobSquarePants/ImageProcessor/blob/f4080c3217107eb7a571eb69e54cc5e69e1c892c/src/ImageProcessor.Web/HttpModules/ImageProcessingModule.cs\" rel=\"nofollow\">https://github.com/JimBobSquarePants/ImageProcessor/blob/f4080c3217107eb7a571eb69e54cc5e69e1c892c/src/ImageProcessor.Web/HttpModules/ImageProcessingModule.cs使用 Request.Unverified.RawUrl 而不是 Request.RawUrl

I have an ASP.NET MVC 5 web application which runs locally on IIS 8.5 and after deployment, on Azure Websites - on both cases, the behavior that will be later described is the same.

I configured in the web.config the following custom errors page management (it covers all my cases of custom errors and it has been tested and it's working great):

<system.webServer>
  <httpErrors errorMode="Custom" existingResponse="Replace">
    <clear />
    <error statusCode="400" responseMode="ExecuteURL" path="/App/Error"/>
    <error statusCode="403" responseMode="ExecuteURL" path="/App/Error/Forbidden" />
    <error statusCode="404" responseMode="ExecuteURL" path="/App/Error/NotFound" />
    <error statusCode="500" responseMode="ExecuteURL" path="/App/Error" />
  </httpErrors>
</system.webServer>

Also, I have an HTTP Module configured in the same web.config like this:

<system.webServer>
<modules>
  <add name="ImageProcessorModule" type="ImageProcessor.Web.HttpModules.ImageProcessingModule, ImageProcessor.Web" />
 </modules>
</system.webServer>

The issue that I have is like this: if I'm making a request to a strange URL like .../c<, the application executes the 500 custom error path as instructed in the web.config file. But, if I'm making a request to a stranger URL (to simulate an html tag) like .../<c, though the resulted error is 500, the custom error is not executed anymore, because accordingly to the detailed error, the HTTP Module intercept the call and "decides" to just show a YSOD...

The message that I get is:

A potentially dangerous Request.RawUrl value was detected from the client (="/App/

And is easy to see that this is caused by the webmodule because of the stacktrace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.RawUrl value was detected from the client (="/App/d__10.MoveNext() +201 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84 System.Web.TaskAsyncHelper.EndTask(IAsyncResult ar) +98 System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +434 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288

If I'm commenting out the Image Processor Module from the web.config, everything runs as expected.

Why in this case, the custom error path doesn't get executed?

Thank you for your time and answers.

解决方案

I very strongly suspect this is a bug in Image Processor.

The exact same issue was reported in Client Dependency (a module for Umbraco) which, while completely unrelated, is similar in that it was accessing Context.Request.RawUrl at the same stage of the request pipeline.

You have two options:-

1. Find a way to set runAllManagedModulesForAllRequests="false" without impacting the behaviour of your http modules

2. See if you can submit a patch to https://github.com/JimBobSquarePants/ImageProcessor/blob/f4080c3217107eb7a571eb69e54cc5e69e1c892c/src/ImageProcessor.Web/HttpModules/ImageProcessingModule.cs to use Request.Unverified.RawUrl instead of Request.RawUrl

这篇关于HTTP模块截获请求，并打破了自定义错误配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！