是启用双转义危险? [英] Is Enabling Double Escaping Dangerous?
问题描述
我有允许通过/搜索/&LT寻找的东西路由的ASP.NET MVC应用程序,搜索关键词>。
I have an ASP.NET MVC application with a route that allows searching for stuff via /search/<searchterm>.
在我公司供应的搜索/ ABC它工作得很好,但是当我提供/搜索/ A + B + C(正确的URL连接codeD),然后IIS7拒绝HTTP错误404.11请求(请求筛选模块被配置为拒绝包含一个双转义序列<请求/ EM>)。首先,它为什么要这样做呢?它似乎只抛出错误,如果它是URL的一部分,但不是作为查询字符串的一部分(/发送Q = A + B + C正常工作)。
When I supply "search/abc" it works well, but when I supply "/search/a+b+c" (correctly url encoded) then IIS7 rejects the request with HTTP Error 404.11 (The request filtering module is configured to deny a request that contains a double escape sequence). FIrst of all, why does it do this? It only seems to throw the error if it is part of the URL, but not as part of a query string ( /transmit?q=a+b+c works fine).
现在我能够在我的web.config的保卫科双逃生的要求,但我不愿这样做,因为我不理解的含义,也不为什么,服务器会拒绝请求A + B + C作为URL的一部分,但接受作为查询字符串的一部分。
Now I could enable double escape requests in the security section of my web.config but I'm hesitant to do so as I don't understand the implications, and neither why the server would reject the request "a+b+c" as part of the URL but accept as part of a query string.
有人可以解释并提供一些意见怎么办?
Can someone explain and give some advice what to do?
推荐答案
的 编辑:的加强调相关章节
Added emphasis to relevant sections.
基本上是:IIS进行了过度的偏执。如果你没有做任何事情与URI德codeD数据(如生成本地文件系统的URI通过字符串连接),特别是不明智的,你可以放心禁用此检查。
Basically: IIS is being excessively paranoid. You can safely disable this check if you're not doing anything particularly unwise with the uri decoded data (such as generating local filesystem URI's via string concatenation).
要禁用检查做如下设置(<一href=\"http://www.ifinity.com.au/Blog/Technical_Blog/EntryId/60/404-Error-in-IIS-7-when-using-a-Url-with-a-plus-sign-in-the-path\">here或这里)(请参阅下面我的评论什么转义双限嗣继承)<。 / p>
To disable the check do the following (from here or here): (see my comment below for what double escaping entails).
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true"/>
</security>
</system.webServer>
如果加号是一个搜索输入一个有效的字符,你会的需求的启用allowDoubleEscaping允许IIS以处理来自URI的路径,例如输入。
If the plus symbol is a valid character in a search input, you will need to enable "allowDoubleEscaping" to permit IIS to process such input from the URI's path.
最后,一个很简单的,如果限制的解决方法是简单地避免+和使用%20代替。 在任何情况下,使用+符号连接codeA空间的不的有效URL编码,但具体到一组有限的协议,可能为得到广泛支持向后兼容的原因。如果只是为了标准化的目的,你最好编码空格作为%20无论如何;这很好地回避了问题IIS7(仍可以裁剪为其它序列,如%25AB)。
Finally, a very simple, if limited workaround is simply to avoid '+' and use '%20' instead. In any case, using the '+' symbol to encode a space is not valid url encoding, but specific to a limited set of protocols and probably widely supported for backwards-compatibility reasons. If only for canonicalization purposes, you're better off encoding spaces as '%20' anyhow; and this nicely sidesteps the IIS7 issue (which can still crop up for other sequences, such as %25ab.)
这篇关于是启用双转义危险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
