User260983704 posted
I've installed the patch and added the necessary entry to the UrlScan.ini to deny the ?aspxerrorpath= query string variable.
However, this has caused every error to cause a redirect loop because ?aspxerrorpath= is still being added to every error page that gets thrown.
How can I tell IIS to stop adding this query string to the error pages? It's causing the redirect loop ... consider this scenario:
The
default behavior is to send the user to the /Error?aspxerrorpath=/originalpath
- Customer requests a page that doesn't exist
- They get the 404 page and are sent to /Error?aspxerrorpath=/some-404-path
- BUT then the ?aspxerrorpath= query string is being denied by the UrlScan feature
- The UrlScan feature, detects this and then sends the
user to /Rejected-By-UrlScan
- But there is no Controller or Page located at /Rejected-By-UrlScan,
so it sends to another error, which is
/Error?aspxerrorpath=/Rejected-By-UrlScan - But then once again, the ?aspxerrorpath= query string is included in the request and it sends them to the same page again -- causing
the redirect loop
I've run the check script that Scott Gu posted and my sites are configured correctly as far as custom error pages and not having separate error statuses go to different pages.
