0

There are lots of questions on this topic but I didn't find one for our special case ...

We have a productive site running and once in a while - about 5 to 10 times a day - we receive error notifications about potentially dangerous Request.Path values. The strange thing here is, that the actual "dangerous" characters are not in the request path but in the parameters.

When looking into the request object we get values like these:

HttpContext.Current.Request.Url.AbsolutePath --> /relative/path/to/page
HttpContext.Current.Request.Url.Query        --> ?param1=value&param2=value

ASP.NET is complaining about the ? in the params:

Message: A potentially dangerous Request.Path value was detected from the client (?). (System.Web.HttpException)

Stacktrace: 
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

But from my point of view everything seems to be fine (these are indeed valid urls and if I type them in the browser they do work).

We're also tracking the client IP and client user agent and they are mostly related to some crawlers. Is it possible, that they're building a erroneous request which triggers these errors?

jor
  • 2,058
  • 2
  • 26
  • 46
  • How do you know this error has occurred? Who is causing the error, is the site publicly accessible? What exact request does raise that message? – CodeCaster Jun 11 '14 at 06:18
  • We added an error handler in the Global.asax and receive email notifications on errors. Yes, the site is publicly accessible. The request is as stated in the question - what else could be helpful? – jor Jun 11 '14 at 06:44

1 Answers1

2

You are probably using asp.net 4.0 or higher. It is more 'picky' then the previous versions. The following chars are filtered by default:

< > * % & : \ ?

You are able to change these in your web.config:

<httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" />

It could be that crawlers or some browsers do use escape chars which contain % like when sending a request. Some more reading on the subject: Experiments In Wackiness Allowing Percents Angle brackets And Other Naughty Things In The ASPNETIIS RequestURL

Peter
  • 27,590
  • 8
  • 64
  • 84
  • Good point Dutch fruit ;) . Can we state that the url is something like `/relative/path/to/page??param1=value&param2=value` (having double `?`)? – Patrick Hofman Jun 10 '14 at 07:31
  • No, the problem are not the filtered characters themselves but the fact that these characters do not appear in the `Request.Path` but in the `Query`. And they are absolutely allowed in there. – jor Jun 11 '14 at 06:10