打开 RelaxUrlToFileSystemMapping 以允许部分以“."结尾的 URL 有任何潜在的安全风险吗? [英] Any potential security risks with turning on relaxedUrlToFileSystemMapping to allow URLs having part ending with '.'?

问题描述

当 URL 的任何部分以."结尾时，我们的应用程序会失败.在里面';由于功能要求，我们无法避免这种情况.建议的解决方案是在 web.config 文件中打开 RelaxUrlToFileSystemMapping.我们想知道这种方法是否存在任何潜在的安全风险.

We are having an issue where our application fails when the URL has any part ending with '.' in it'; we can't avoid this due to functional requirements. The suggested solution is to turn on relaxedUrlToFileSystemMapping in web.config file. We would like to know if there are any potential security risks with this approach.

失败 URL 的格式:http://server.com/path1/krishnakk./path2

Format of failing URL: http://server.com/path1/krishnakk./path2

它返回一个 404 错误.

It returns a 404 error.

推荐答案

尽管这个问题已经有七个月了，但这里有一个答案，以防其他人遇到这种情况.

Even though this question is seven months old, here's an answer in case anyone else comes across a situation like this.

关于问题的安全部分，默认情况下 relaxedUrlToFileSystemMapping 设置为 false，并且 ASP .NET 假定 URL 的路径部分是有效的 NTFS 文件路径.如果您通过将 relaxedUrlToFileSystemMapping 设置为 true 来禁用此功能，那么您可能会因为您禁用 ASP .NET 提供的默认保护而使您的网站受到攻击.

Regarding the security part of the question, by default relaxedUrlToFileSystemMapping is set to false, and ASP .NET assumes that the path portion of a URL is a valid NTFS file path. If you disable this by setting relaxedUrlToFileSystemMapping to true, then you are potentially opening your site up to attack because you're disabling the default protection provided by ASP .NET.

如果您绝对需要将 relaxedUrlToFileSystemMapping 设置为 true，您还应该确保在应用程序要求的约束范围内验证所有 URL.

If you absolutely need to set relaxedUrlToFileSystemMapping to true you should also be sure that you validate all URLs within the constraints of your application's requirements.

这篇关于打开 RelaxUrlToFileSystemMapping 以允许部分以“."结尾的 URL 有任何潜在的安全风险吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！