为什么一些“具有潜在危险的Request的”HttpExceptions忽略httpErrors设置？ [英] Why do some 'potentially dangerous Request.Path' HttpExceptions ignore httpErrors settings?

问题描述

我有一个.net网站，自定义错误页使用的web.config配置的 httpErrors 部分：

I have a .Net website with custom error pages configured using the web.config httpErrors section:

<httpErrors errorMode="Custom" existingResponse="Replace">
  <clear/>
  <error statusCode="400" path="/page-not-found/" responseMode="ExecuteURL" />
  <error statusCode="404" path="/page-not-found/" responseMode="ExecuteURL" />
  <error statusCode="500" path="/error/" responseMode="ExecuteURL" />
</httpErrors>

和

<httpRuntime requestValidationMode="2.0" targetFramework="4.5" />

当我访问 http://www.example.com/< 网站显示正确的找不到网页页面，但是如果我访问 http://www.example.com/<a 它显示了500的地位code响应头一个YSOD。

When I visit http://www.example.com/< the site displays the correct "page not found" page, however if I visit http://www.example.com/<a it displays a YSOD with a 500 status code response header.

我ELMAH迷上了和这两个URL predictably抛出一模一样的误差 System.Web.HttpException：从客户端检测到潜在危险Request的值（小于）<。 / code>

I have Elmah hooked up and both URLs predictably throw exactly the same error System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (<).

但为什么两个URL处理不一样？为什么是一款重写我的自定义错误页，而其他没有？我希望从任何异常相同的行为。

But why are the two URLs not handled the same? Why is one rewritten to my custom error page, and the other not? I would expect the same behaviour from any exception.

编辑：

我应该提到了前面，这是一把umbraco项目。我认为这不是一个因素，但我创建了一个准系统.NET项目，没有相关性，这预期一样，即两个URL听从httpErrors配置。因此，这一定有什么具体的一把umbraco，可能是一个模块。

I should have mentioned up front that this was an Umbraco project. I thought that this wasn't a contributing factor but I created a barebones .Net project with no dependencies and this worked as expected, i.e. both URLs obeyed the httpErrors configuration. So this must be something Umbraco specific, probably a module.

推荐答案

相当数量的挖掘之后，我可以看到，这实际上是由一个叫做的 ClientDependency 。这和正常行为除去返回，但显然在这种情况下，后台将不能正常工作。

After a fair amount of digging, I can see that this was actually caused by a 3rd party module called ClientDependency. Removal of this and the normal behaviour returned but obviously in this case the backoffice will not function properly.

该项目的补丁程序是必需的，我已经提交了这一点。

A patch on the project is required and I've submitted this.

更新：

在ClientDependency此bug已被修正为v1.8.3的

This bug in ClientDependency has been fixed as of v1.8.3

这篇关于为什么一些“具有潜在危险的Request的”HttpExceptions忽略httpErrors设置？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！