When requesting this url
http://www.mylocalsite.com/en/product_images/view/page:2
MVC throws an exception and there is no way to catch it.
System.NotSupportedException
The given path's format is not supported.
This also happens for this kink of malformed url:
http://www.mylocalsite.com/buy/some-thing/http:/www.mylocalsite.com/buy/some-thing/1-ABCD
at System.Security.Util.StringExpressionSet.CanonicalizePath(String path, Boolean needFullPath)
at System.Security.Util.StringExpressionSet.CreateListFromExpressions(String[] str, Boolean needFullPath)
at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList)
at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList)
at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path)
at System.Web.HttpRequest.MapPath(VirtualPath virtualPath, VirtualPath baseVirtualDir, Boolean allowCrossAppMapping)
at System.Web.HttpServerUtility.Execute(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage)
at System.Web.HttpServerUtilityWrapper.Execute(IHttpHandler handler, TextWriter writer, Boolean preserveForm)
at System.Web.Mvc.ViewPage.RenderView(ViewContext viewContext)
at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context)
at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19()
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func1 continuation)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func1 continuation)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult)
at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
Comments: I suppose iis request filtering would work. But performance will suffer for ALL requests. And I would like a user trying to open: http://www.mylocalsite.com/en/product_images/view/page:2 to either go to http://www.mylocalsite.com/en/product_images/view/page or to display an HTTP 404. But certainly not an HTTP 500 error ! If it is not in the http spec, why apache/php handles it nicely ? And why are you not ? Btw requestpathinvalidcharacters does not work for removing the ":". Look at .NET source code. You will see that in StringExpressionSet.CanonicalizePath (in System.Security.Util): if(value.Contains(":")) throw new SomeException() No check to any invalidcharacters variable here. Nothing to do with ASP.NET MVC. System.Security is in the core .NET framework.
http://www.mylocalsite.com/en/product_images/view/page:2
MVC throws an exception and there is no way to catch it.
System.NotSupportedException
The given path's format is not supported.
This also happens for this kink of malformed url:
http://www.mylocalsite.com/buy/some-thing/http:/www.mylocalsite.com/buy/some-thing/1-ABCD
at System.Security.Util.StringExpressionSet.CanonicalizePath(String path, Boolean needFullPath)
at System.Security.Util.StringExpressionSet.CreateListFromExpressions(String[] str, Boolean needFullPath)
at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList)
at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList)
at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path)
at System.Web.HttpRequest.MapPath(VirtualPath virtualPath, VirtualPath baseVirtualDir, Boolean allowCrossAppMapping)
at System.Web.HttpServerUtility.Execute(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage)
at System.Web.HttpServerUtilityWrapper.Execute(IHttpHandler handler, TextWriter writer, Boolean preserveForm)
at System.Web.Mvc.ViewPage.RenderView(ViewContext viewContext)
at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context)
at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19()
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func1 continuation)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func1 continuation)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult)
at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
Comments: I suppose iis request filtering would work. But performance will suffer for ALL requests. And I would like a user trying to open: http://www.mylocalsite.com/en/product_images/view/page:2 to either go to http://www.mylocalsite.com/en/product_images/view/page or to display an HTTP 404. But certainly not an HTTP 500 error ! If it is not in the http spec, why apache/php handles it nicely ? And why are you not ? Btw requestpathinvalidcharacters does not work for removing the ":". Look at .NET source code. You will see that in StringExpressionSet.CanonicalizePath (in System.Security.Util): if(value.Contains(":")) throw new SomeException() No check to any invalidcharacters variable here. Nothing to do with ASP.NET MVC. System.Security is in the core .NET framework.