URL路径,图像处理程序和放大器; "有潜在危险的Request的值QUOT; [英] URL Routing, Image Handler & "A potentially dangerous Request.Path value"
问题描述
我已经遇到了这个问题,现在相当一段时间,并已决定尝试并获得它一劳永逸的底部被这里张贴问题的一些思考。我有一个.NET 4的网站设在这里的图像处理程序:
I've been experiencing this problem now for quite sometime and have decided to try and get to the bottom of it once and for all by posting the question here for some thought. I have an image handler in a .net 4 website located here:
<一个href="https://www.amadeupurl.co.uk/ImageHandler.ashx?i=3604">https://www.amadeupurl.co.uk/ImageHandler.ashx?i=3604 (删除隐私实际域)
https://www.amadeupurl.co.uk/ImageHandler.ashx?i=3604 (actual domain removed for privacy)
现在能正常工作和没有问题的Web服务器提供的图像,我说没有问题,因为如果我访问它工作正常的URL,加载图像,产生也不例外。不过有人做访问此网址昨天和异常大意如下提出的:
Now this works fine and serves an image from the web server without problem, I say without problem because if I access the URL it works fine, the image loads, no exception is generated. However someone did visit this exact URL yesterday and an exception was raised along the following lines:
Exception Generated
Error Message:
A potentially dangerous Request.Path value was detected from the client (?).
Stack Trace:
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
Technical Information:
DATE/TIME: 23/01/2013 03:50:01
PAGE: www.amadeupurl.co.uk/ImageHandler.ashx?i=3604
我理解的错误信息,那不是一个问题,我只是不明白为什么它正在这里产生,使事情变得更糟,我不能复制它,就像我说我点击加载图像的链接,也不例外。我使用的URL路由,并注册了处理程序,在此就造成一个问题,下面code的情况下被忽略:
I understand the error message, thats not a problem I just don't understand why it being generated here, to make things worse I'm unable to replicate it, like I said I click the link the image loads, no exception. I am using URL routing and registered the handler to be ignored in case this was causing an issue with the following code:
routes.Ignore("{resource}.ashx")
我不知道为什么,否则我会得到错误或什么尝试。
I'm not sure why else I would be getting the error or what else to try.
推荐答案
Asp.Net 4.0以上版本配备了一个非常严格的内置的请求验证,它的一部分是潜在的危险字符的URL可能在XSS使用攻击。下面是在URL默认无效字符:
Asp.Net 4.0+ comes with a very strict built-in request validation, part of it is the potential dangerous characters in the url which may be used in XSS attacks. Here are default invalid characters in the url :
&LT; &GT; *%&放大器; ?:\
您可以在配置文件中改变这种行为:
You can change this behavior in your config file:
<system.web>
<httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" />
</system.web>
还是回到NET 2.0验证:
Or get back to .Net 2.0 validation:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
一个很常见的无效字符%,因此,如果任何机会(攻击,网络爬虫,或者只是一些不规范的浏览器)的URL被转义您得到这样的:
A very common invalid character is %, so if by any chance (attack, web-crawlers, or just some non-standard browser) the url is being escaped you get this:
www.amadeupurl.co.uk/ImageHandler.ashx/%3Fi%3D3604
而不是此
www.amadeupurl.co.uk/ImageHandler.ashx/?i=3604
注意%3F 是转义字符?。该字符被视为无效Asp.Net请求验证并抛出一个异常:
Note that %3F is the escape character for ?. The character is considered invalid by Asp.Net request validator and throws an exception:
A potentially dangerous Request.Path value was detected from the client (?).
尽管错误消息,你看到的字符(%3F)的转义版本,这是?再次
<一个href="http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx">Here's在请求验证以及如何的好文章对付它
这篇关于URL路径,图像处理程序和放大器; &QUOT;有潜在危险的Request的值QUOT;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
