在UrlScan.ini中用分号指定字符串 [英] specifing string with semicolons in UrlScan.ini
问题描述
我想在IIS 6上使用UrlScan阻止用户代理。但是我无法在字符串中指定带分号的用户代理。我认为这是一种非常常见的情况,但我找不到任何关于如何在UrlScan.ini中转义分号的答案(其中分号用于评论)。
这是规则:
I want to block user-agents with UrlScan on IIS 6. However I am not able to specify an user-agent with a semicolon in the string. I think this is a very common scenario, but I can't find any answer on how to escape a semicolon in UrlScan.ini (where semicolon are used for commenting). This is the rule:
RuleList=DenyUserAgent
[DenyUserAgent]
DenyDataSection=AgentStrings
ScanHeaders=User-Agent
[AgentStrings]
Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/10.0.2
我测试了它并阻止所有以Mozilla / 5.0(Windows NT 5.1)开头的用户代理,因为它考虑了其余的字符串作为评论。
I tested it and it blocks all the user-agents that start with "Mozilla/5.0 (Windows NT 5.1" because it considers the rest of the string as a comment.
推荐答案
看起来您需要对其进行URL转义,即%3B
It seems like you would need to URL escape it, i.e. %3B
请参阅 http://learn.iis例如.net / page.aspx / 476 / common-urlscan-scenarios / ;他们有一个这样的例子就是在查询字符串中阻塞分号以阻止SQL注入攻击
See http://learn.iis.net/page.aspx/476/common-urlscan-scenarios/ for examples; one such example they have is blocking semicolon in the querystring to block a SQL injection attack
这篇关于在UrlScan.ini中用分号指定字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
