Ampersand in URL

I have a strange problem with IIS 6 (Server 2003) and IIS 7 (Vista).

I have a site with a web.config as follows:





type="TrafficLogger.GetFile,TrafficLogger" />





modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET
\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" />




There is a TrafficLogger.dll in the bin folder.
This program logs the request and returns a stream.
When I request a missing file, it returns a 404 error.

For example, when I request http://localhost/Test/toto.zip
I get a 404 error.
But when I request http://localhost/Test/toto&.zip
I get a 400 error, and the DLL is not called, and the URL is not
logged in Windows\System32\LogFiles\HTTPERR\

Doing more tests, I discovered that the following characters were
refused by IIS:
" % & * : < > ? |
plus ASCII codes 0 to 31 and 127, 129, 141, 143, 144 and 157

I have no doubt this is a security feature of IIS, so my question is:
how could I catch requests with these characters ?
(And no, don't suggest %26 for &, it doesn't work either !).
Am I missing a hidden setting in the web.config ?

JC

Re: Ampersand in URL

Hi,

The ampersand is a reserved character[1] and should be encoded. If it is
encoded, it works, atleast on my IIS 6 server.

I do however not know how ASP.NET handle this (i cannot imagine however
that it does not properly handle encoded characters), or if your code
cannot handle encoding. But a default installation of IIS have no problems
serving files with an ampersand in the file name.

[1] See section 2.2
http://www.faqs.org/rfcs/rfc2396.html


--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


jcmeyrignac@gmail.com wrote:

>I have a strange problem with IIS 6 (Server 2003) and IIS 7 (Vista).
>
>I have a site with a web.config as follows:
>
>
>
>
>
> >type="TrafficLogger.GetFile,TrafficLogger" />
>
>
>
>
>
> >modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET
>\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" />
>
>
>
>
>There is a TrafficLogger.dll in the bin folder.
>This program logs the request and returns a stream.
>When I request a missing file, it returns a 404 error.
>
>For example, when I request http://localhost/Test/toto.zip
>I get a 404 error.
>But when I request http://localhost/Test/toto&.zip
>I get a 400 error, and the DLL is not called, and the URL is not
>logged in Windows\System32\LogFiles\HTTPERR\
>
>Doing more tests, I discovered that the following characters were
>refused by IIS:
>" % & * : < > ? |
>plus ASCII codes 0 to 31 and 127, 129, 141, 143, 144 and 157
>
>I have no doubt this is a security feature of IIS, so my question is:
>how could I catch requests with these characters ?
>(And no, don't suggest %26 for &, it doesn't work either !).
>Am I missing a hidden setting in the web.config ?
>
>JC

Re: Ampersand in URL

Sorry for my slow reply (I didn't get your answer).

Yes, IIS is able to retrieve files with ampersands, but NOT when I'm
using a WebServer handler !
How could I disable URL filtering by IIS in the Web.config ?

JC

On Nov 13, 6:33 pm, "Kristofer Gafvert"
wrote:
> Hi,
>
> The ampersand is a reserved character[1] and should be encoded. If it is
> encoded, it works, atleast on my IIS 6 server.
>
> I do however not know how ASP.NET handle this (i cannot imagine however
> that it does not properly handle encoded characters), or if your code
> cannot handle encoding. But a default installation of IIS have no problems
> serving files with an ampersand in the file name.
>
> [1] See section 2.2http://www.faqs.org/rfcs/rfc2396.html
>
> --
> Regards,
> Kristofer Gafverthttp://www.gafvert.info/iis/- IIS Related Info
>
> jcmeyrig...@gmail.com wrote:
> >I have a strange problem with IIS 6 (Server 2003) and IIS 7 (Vista).
>
> >I have a site with a web.config as follows:
>
> >There is a TrafficLogger.dll in the bin folder.
> >This program logs the request and returns a stream.
> >When I request a missing file, it returns a 404 error.
>
> >For example, when I requesthttp://localhost/Test/toto.zip
> >I get a 404 error.
> >But when I requesthttp://localhost/Test/toto&.zip
> >I get a 400 error, and the DLL is not called, and the URL is not
> >logged in Windows\System32\LogFiles\HTTPERR\
>
> >Doing more tests, I discovered that the following characters were
> >refused by IIS:
> >" % & * : < > ? |
> >plus ASCII codes 0 to 31 and 127, 129, 141, 143, 144 and 157
>
> >I have no doubt this is a security feature of IIS, so my question is:
> >how could I catch requests with these characters ?
> >(And no, don't suggest %26 for &, it doesn't work either !).
> >Am I missing a hidden setting in the web.config ?
>
> >JC

Re: Ampersand in URL

I would suggest that you ask this in an ASP.NET newsgroup because the
problem seems to with ASP.NET and not IIS. IIS properly handles encoded
ampersands.

--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


skrev i meddelandet
news:d4515207-26e9-4aff-8fd8-df34b1c0d377@w28g2000hsf.google groups.com...
> Sorry for my slow reply (I didn't get your answer).
>
> Yes, IIS is able to retrieve files with ampersands, but NOT when I'm
> using a WebServer handler !
> How could I disable URL filtering by IIS in the Web.config ?
>
> JC
>
> On Nov 13, 6:33 pm, "Kristofer Gafvert"
> wrote:
>> Hi,
>>
>> The ampersand is a reserved character[1] and should be encoded. If it is
>> encoded, it works, atleast on my IIS 6 server.
>>
>> I do however not know how ASP.NET handle this (i cannot imagine however
>> that it does not properly handle encoded characters), or if your code
>> cannot handle encoding. But a default installation of IIS have no
>> problems
>> serving files with an ampersand in the file name.
>>
>> [1] See section 2.2http://www.faqs.org/rfcs/rfc2396.html
>>
>> --
>> Regards,
>> Kristofer Gafverthttp://www.gafvert.info/iis/- IIS Related Info
>>
>> jcmeyrig...@gmail.com wrote:
>> >I have a strange problem with IIS 6 (Server 2003) and IIS 7 (Vista).
>>
>> >I have a site with a web.config as follows:
>>
>> >There is a TrafficLogger.dll in the bin folder.
>> >This program logs the request and returns a stream.
>> >When I request a missing file, it returns a 404 error.
>>
>> >For example, when I requesthttp://localhost/Test/toto.zip
>> >I get a 404 error.
>> >But when I requesthttp://localhost/Test/toto&.zip
>> >I get a 400 error, and the DLL is not called, and the URL is not
>> >logged in Windows\System32\LogFiles\HTTPERR\
>>
>> >Doing more tests, I discovered that the following characters were
>> >refused by IIS:
>> >" % & * : < > ? |
>> >plus ASCII codes 0 to 31 and 127, 129, 141, 143, 144 and 157
>>
>> >I have no doubt this is a security feature of IIS, so my question is:
>> >how could I catch requests with these characters ?
>> >(And no, don't suggest %26 for &, it doesn't work either !).
>> >Am I missing a hidden setting in the web.config ?
>>
>> >JC
>