I have a site running on IIS 7.5 which hosts some user-generated content. Recently, I came across a file with two periods in its filename. Let's call it foo..bar.jpg. When I attempt to access it, I get a 400 error which unhelpfully just says Bad Request in plaintext.
Searching turned up almost nothing, just this question from the IIS forums where it's stated that this is intended behaviour meant to prevent accessing files outside the web application via the parent directory, ../. They provide instructions on how to disable this check, which would presuambly open my site up to path traversal attacks.
This check is extremely overzealous and blocks many innocuous filenames which I want to be able to support in my application. I can come up with a few workarounds, like force renaming the files or serving them through an .ashx handler, neither of which are very appealing.
Is there any way to support URLs containing double periods via StaticFileHandler without introducing a path traversal exploit?
