Databases
StackOverflow2013
Postsdbo
POASP.NET MVC "Potentially dangerous Request.Path" with valid URL
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POASP.NET MVC "Potentially dangerous Request.Path" with valid URL
    text
    copied!<p>On my production ASP.NET MVC 3 site, I've been noticing the occasional "A potentially dangerous Request.Path value was detected from the client (%)." unhandled exception in the Windows application log.</p> <p>While these can be perfectly valid under regular site usage (ie/ random web bots), a number of the requests appear to be from valid, local ISP users.</p> <p>In the exception's request details, the Request URL is different than the Request path:</p> <blockquote> <p>Request URL: <a href="http://www.somesite.com/Images/Image" rel="nofollow">http://www.somesite.com/Images/Image</a> With Space.jpg</p> <p>Request path: /Images/Imagehttp://www.somesite.com/Images/Image With Space.jpgWithhttp://www.somesite.com/Images/Image With Space.jpgSpace.jpg</p> </blockquote> <p>Notice that in the "request path", any place there is a "space" in the path is replaced with an exact copy of the request url!</p> <p>Within the site, the actual link looks like this:</p> <pre><code>&lt;img src="/Images/Image%20With%20Space.jpg" /&gt; </code></pre> <p>Any idea what might be causing this? I tried to look at the documentation for Request.Path and Request.Url, but I can't figure out why they would be different. Hitting the Request URL directly brings up the resource correctly.</p> <p>Update: I managed to get a trace of one of the malfunctioning requests by using IIS 7.0's Failed Request Tracing feature:</p> <blockquote> <p>Referer: Google search</p> <p>User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3</p> <p>RequestURL: <a href="http://www.somesite.com:80/Images/Image%20With%20Space.jpg" rel="nofollow">http://www.somesite.com:80/Images/Image%20With%20Space.jpg</a></p> </blockquote> <p>Typing the URL manually into my iOS 5.1.1 brings up the image correctly. Searching for the image in Google Images brings up the image correctly. Still no successful reproduction.</p> <p>Partway down the trace I see:</p> <blockquote> <p>MODULE_SET_RESPONSE_ERROR_STATUS Warning. ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", HttpStatus="404", HttpReason="Not Found", HttpSubStatus="11",</p> </blockquote> <p>According to IIS' documentation, 404.11 from the Request Filtering module is a "double encoding" error in the URL. Experimenting a bit, if I purposefully create a double encoded url such as <a href="http://www.somesite.com/Images/Image%2520With%2520Space.jpg" rel="nofollow">http://www.somesite.com/Images/Image%2520With%2520Space.jpg</a> I get the exact error in the event log, complete with malformed Request Path.</p> <p>The malformed Request Path in the event log error appears to be a bug in ASP.NET 4.0.</p> <p>It doesn't, however, explain why I'm getting the error in the first place. I checked a large number of failed request logs - the only common factor is that they're all using AppleWebKit. Could it be a bug in Safari?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload