locked
Ampersand in URL filename = bad request. RRS feed

  • Question

  • User-29225178 posted

    Hi there.

    I have a .NET module that Handles .CustX files and performs some special processing.

    The problem I'm running into is when I use the ampersand & in the file name, a BAD REQUEST error is thrown.

    For example:
    http://MyWebsite.com/You&Me.custx   will throw a BAD REQUEST error.
    http://MyWebsite.com/You%26Me.custx   will throw the same error.

    I think this is being rejected by the .NET engine, and not IIS6.

    I'm actually encoding the ampersand into the %26 string, but the request still gets rejected.

    Please see this has nothing to do with a QueryString issue, it's the ampersand in the actual file name.


    The question is: Is there a way to use the ampersand in the URL, as shown in the examples above ?

    I know there are several workarounds:
    - Removing the ampersand.
    - Replacing the ampersand.
    - Hating the ampersand.

    But I really want to know if there is a setting somewhere I can toggle for the .NET to start accepting the url encoded ampersand in the url.

    Thanks for your help :)

    Sincerely,
    Agustin Garzon

    Thursday, January 15, 2009 4:00 PM

Answers

  • User437720957 posted

     It should be simple...

    I just tried the VerificationCompatibility setting (only) on one of our Win2003/IIS6 servers and it worked as advertised.

    1. Created a simple aspx named "Form&.aspx" and made sure the site ran with ASP.NET 2.0 settings and application pool
    2. Accessed http://server/Form&.aspx
    3. Got "Bad request"
    4. Added the VerificationCompatibility DWORD
    5. Restarted IIS (iisreset command)
    6. Accessed http://server/Form&.aspx
    7. Success

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 19, 2009 5:23 PM

All replies

  • User437720957 posted

    http://dirk.net/2008/06/09/ampersand-the-request-url-in-iis7/

    Applies to IIS6 as well.

    Thursday, January 15, 2009 4:42 PM
  • User-29225178 posted
    Been there. Done that.

    <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>
    None of those solutions help. The second approach applies to .NET Framework 1.1
    Nonetheless, I added the suggested DWORDs on both solutions, restarted the server, nothing happened, 400 BAD REQUEST<o:p></o:p>

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters 

    The file is being rejected by the .NET Engine.<o:p></o:p>Which leads me to the original question:
    Is there a setting somewhere I can toggle ON for the .NET to start accepting the encoded ampersand in the url?

    <o:p></o:p>
    And the next one:
    What are all the special characters that will be rejected I should be aware of ?<o:p></o:p>

    Thanks for your help.

    Sincerely,
    Agustin Garzon

     

    Thursday, January 15, 2009 7:13 PM
  • User1566012831 posted

    I'm not sure if this applies in your situation, but a vanilla ampersand is actually illegal in XML, upon which ASP.NET is based.  For URLs in .aspx files, be sure to encode them with "&amp;" 

    OTOH, if you're seeing errors with incoming URLs with ampersands, does the request make it into the .NET page processing pipeline before being rejected?  If so, perhaps you could use URL rewriting as a work-around?

     

    Thursday, January 15, 2009 7:27 PM
  • User-29225178 posted

    The request is rejected as a BAD REQUEST whatever the way you encode the ampersand.

    Rejected: http://forums.asp.net/You%26Me.aspx
    Rejected: http://forums.asp.net/You&amp;Me.aspx
    Rejected: http://forums.asp.net/You&Me.aspx

    Click on those links to see what I mean.

    The request never reaches the .NET page processing pipeline. The earliest point I was able to test was in the Application_BeginRequest, but the request never makes it through to that point.

    I guess I'll have to use some sort of encoding to represent file names as something completely different when they contain ampersands in the URL.

    I would like to know what other characters I should be aware of.

    Not to mention the actual solution would be great too :)

    Have a nice day,
    Agustin Garzon

    Friday, January 16, 2009 8:10 AM
  • User437720957 posted

    Is there a setting somewhere I can toggle ON for the .NET to start accepting the encoded ampersand in the url?

    The VerificationCompatibility value is that toggle.

    Maybe you're running on a 64-bit server? In that case you should set the value in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\

    It's not an encoding issue or related to XML (ASP.NET is not based on XML, really [:)]), it's just one of those extra security measures that Microsoft has put in, since evil URLs have often been used as an attack vector.

    From what I've seen, you should avoid ampersands, colons and percent signs.

    You could perhaps just replace "&" with "and", and if you still want your files to be named with "&", you could use URL rewriting (in ASP.NET, not in IIS) to handle that. Or the exact opposite, perform the rewriting in IIS (using an ISAPI filter) before it reaches ASP.NET.

     

    Friday, January 16, 2009 2:42 PM
  • User1566012831 posted

    Hmm.  Interesting problem.  I don't have an answer for you, but here's a little info that might help.

    Ampersands in URLs work fine in Cassini, so I don't think the filtering is happening at the ASP.NET level.

    http.sys rejects requests that contain certain characters, although I don't think ampersand is among them.  See the following page for instructions on how to disable that check using the AllowRestrictedChars registry setting: http://support.microsoft.com/kb/820129/en-us

    If you're running IIS 7, you might try turning off Modules to see if you can find one that's the culprit.

     

    Friday, January 16, 2009 9:08 PM
  • User437720957 posted

    Ampersands in URLs work fine in Cassini, so I don't think the filtering is happening at the ASP.NET level.
     

    I believe it's in the ASP.NET ISAPI DLL, i.e the connector between IIS and ASP.NET.

    Saturday, January 17, 2009 6:58 AM
  • User-29225178 posted

    Thanks a lot for your replies.

    It's a Windows 2003 server, 32 bits.

    I have added those keys but the problem persists.
    DWORD AllowRestrictedChars with a hex value of 1, located on the root of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
    DWORD
    VerificationCompatibility with a hex value of 1, located on the root of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET

    Indeed, this issue doesn't affect the Cassini server.

    I could replace the ampersand with the word and, but then I would have to check if a file exists with either the ampersand or the and word. If both exists... conflict.

    Anyway, I can come up with a way to rewrite the troublesome filenames, with an MD5 hash perhaps.
    But do you know what characters, other than the ampersand, would trigger the error ?

    Thanks for your support.

    Cordially,
    Agustin Garzon.

    Saturday, January 17, 2009 11:18 AM
  • User1566012831 posted
    It looks like there might be a hotfix for this: http://support.microsoft.com/kb/932552
    Saturday, January 17, 2009 6:13 PM
  • User437720957 posted

    But do you know what characters, other than the ampersand, would trigger the error ?

    Colons and percent signs are the other two valid URL characters that ASP.NET doesn't like.

     

    Monday, January 19, 2009 3:42 AM
  • User-29225178 posted

    Hmmm... thanks for sharing the finding.

    I'm not sure if that hot fix would help with the ampersand and other special characters, and the error that hot fix addresses seems different to the plain Bad Request error.
    That hotfix (nov 2007) should already be included in the latest .NET Service Pack.
    I might test it in a virtual computer, but definitely wouldn't apply it in the actual server.

    I'll perform some rewriting or encoding of file names when they contain special characters.

    Thanks for your advice, I thought this would be a simpler one!

    Sincerely,
    Agustin Garzon

    Monday, January 19, 2009 2:48 PM
  • User437720957 posted

     It should be simple...

    I just tried the VerificationCompatibility setting (only) on one of our Win2003/IIS6 servers and it worked as advertised.

    1. Created a simple aspx named "Form&.aspx" and made sure the site ran with ASP.NET 2.0 settings and application pool
    2. Accessed http://server/Form&.aspx
    3. Got "Bad request"
    4. Added the VerificationCompatibility DWORD
    5. Restarted IIS (iisreset command)
    6. Accessed http://server/Form&.aspx
    7. Success

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 19, 2009 5:23 PM
  • User-29225178 posted

    No luck.

    Added the VerificationCompatibility DWORD on the root of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET and added it too on the root HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0

    Restarted the server. Issue is still there: http://www.bluetonemedia.com/Test&.aspx

    I'll implement the rewriting-filename encoding anyway.

    Thanks for your help :)

    Sincerely,
    Agustin.

    Tuesday, January 20, 2009 11:39 AM
  • User-1184619958 posted

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET. Added DWORD VerificationCompatibility = 1

     

    And it worked like a charm on WIndows 64 bit, IIS 32 bit.

    Tuesday, January 19, 2010 12:27 AM
  • User-285243853 posted

    Hi,

       You have to do an IISReset after changing these registry values. Otherwise they don't take effect.

    hth

       

    Thursday, September 29, 2011 8:58 AM