Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
786 views
in Technique[技术] by (71.8m points)

asp.net mvc - Any potential security risks with turning on relaxedUrlToFileSystemMapping to allow URLs having part ending with '.'?

We are having an issue where our application fails when the URL has any part ending with '.' in it'; we can't avoid this due to functional requirements. The suggested solution is to turn on relaxedUrlToFileSystemMapping in web.config file. We would like to know if there are any potential security risks with this approach.

Format of failing URL: http://server.com/path1/krishnakk./path2

It returns a 404 error.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Even though this question is seven months old, here's an answer in case anyone else comes across a situation like this.

Regarding the security part of the question, by default relaxedUrlToFileSystemMapping is set to false, and ASP .NET assumes that the path portion of a URL is a valid NTFS file path. If you disable this by setting relaxedUrlToFileSystemMapping to true, then you are potentially opening your site up to attack because you're disabling the default protection provided by ASP .NET.

If you absolutely need to set relaxedUrlToFileSystemMapping to true you should also be sure that you validate all URLs within the constraints of your application's requirements.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...