Asked by:
A potentially dangerous Request.Path value was detected from the client (:)

Question
-
User1649736104 posted
Hi Everyone
I'm facing the below error when accessing a URL with 3 forward slash through iis reverse proxy.
Sample URL : http://192.168.0.134/activity/documents.w3p;pioiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961%2F%3Bguid%3Df2e18eef-35cd-4797-8a6d-54e8ab1d0147%3Bclass%3DProject
can someone please help me to resolve this ? we cannot change the URL.
Server Error in '/' Application.
A potentially dangerous Request.Path value was detected from the client (:).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (:).
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:).] System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +11995904 System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +54
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.2106.0
Friday, April 30, 2021 9:41 AM
All replies
-
User1065476709 posted
Hi mrbot,
After.NET 4.0, if the url contains some special characters, it will occur this error. I did not find the special character ":" in your URL, but I found the special character ";". You can either try to remove the special character and try again, or you can fix this error either by encoding your URL or by modifying your web.config file as:
<system.web> <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" /> <pages validateRequest="false" /> </system.web>
Best regards,
Sam
Monday, May 3, 2021 1:59 AM -
User1649736104 posted
Hi Sam,
I have modified web.config as suggested, now i'm getting a bad URL error message.
Bad Request - Invalid URL
HTTP Error 400. The request URL is invalid.
We have special character ":" in the URL.
the highlighted section refers to dms:///
after updating the web.config with the below changes.
<system.web>
<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" /> <pages validateRequest="false" /> </system.web>
the triple forward slash "///" in the URL got changed to single forward "/" slash that results the invalid URL.
sample URL below.
Could not connect to object with oiid of 'dma:/45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961%2F'
Is there an option where we can pass through this URL in IIS without changing the "///" to "/"
Monday, May 3, 2021 10:34 AM -
User1065476709 posted
Hi mrbot,
We have special character ":" in the URL.http://192.168.0.134/activity/documents.w3p;pioiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961%2F%3Bguid%3Df2e18eef-35cd-4797-8a6d-54e8ab1d0147%3Bclass%3DProjectIn your url, except behind http, I did not find special character ":".
the highlighted section refers to dms:///The highlighted section of your URL is "dma%3A%2F%2F%2F", I did not find the "dms:///" you referenced.
the triple forward slash "///" in the URL got changed to single forward "/" slash that results the invalid URL.Normally, the browser will automatically convert "///" to "/".
Best regards,
Sam
Tuesday, May 4, 2021 3:05 AM -
User1649736104 posted
Hi Sam,
The URL is partially encoded one. Below is another sample URL.
As per the ASCI encoding this url part
2) dma:///45e6b900-8929-11d4-b772-0050da06bfb4/7bd350da-c9ee-4565-8000-2cbc18041961
was converted as below.
3) http://192.168.0.134/reports/launch.w3p;roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961
when 3rd URL is passed through IIS reverse proxy %2F%2F%2F is getting replaced as %2F. That's resulting request URL as invalid
is there a way where i can retain the encoding part of URL after http://192.168.0.134/reports/launch.w3p;
when passed through IIS reverse proxy ? Something like
if the URL contains "roiid=dma" then
http://192.168.0.134/reports/launch.w3p;{UrlEncode:{roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961}}
and preserve %2F%2F%2F
and Final URL as below ?
http://192.168.0.134/reports/launch.w3p;roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961
Friday, May 7, 2021 9:43 AM -
User1065476709 posted
Hi mrbot,
As per the ASCI encoding this url part
2) dma:///45e6b900-8929-11d4-b772-0050da06bfb4/7bd350da-c9ee-4565-8000-2cbc18041961
was converted as below.
3) http://192.168.0.134/reports/launch.w3p;roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961
when 3rd URL is passed through IIS reverse proxy %2F%2F%2F is getting replaced as %2F. That's resulting request URL as invalid
is there a way where i can retain the encoding part of URL after http://192.168.0.134/reports/launch.w3p;
when passed through IIS reverse proxy ? Something like
You can try to use url rewriting. how do you generate such a complicated URL?
Best regards,
Sam
Tuesday, May 11, 2021 9:53 AM -
User1649736104 posted
samwu
You can try to use url rewriting. how do you generate such a complicated URL?i have tried a rule as below,
<action type="Rewrite" url="http://192.168.0.134/{UrlEncode:{REQUEST_URI}}" /> <serverVariables> <set name="REQUEST_URI" value="{ENCODED_URL}" /> <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" /> <set name="HTTP_ACCEPT_ENCODING" value="" /> </serverVariables>
http://192.168.0.134/reports/launch.w3p;roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961
what happens is everything after the above yellow highlighted part got encoded as below red highlighted.
http://192.168.0.134/%252Freports%252Flaunch.w3p%253Broiid%253Ddma%253A%252F45e6b900-8929-11d4-b772-0050da06bfb4%252F7bd350da-c9ee-4565-8000-2cbc18041961
Is it possible to write a rewrite rule which can retain this "roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961" for the URL ?
Could you please provide me a rule for doing this ?
Friday, May 14, 2021 2:30 PM -
User1065476709 posted
Hi mrbot,
http://192.168.0.134/reports/launch.w3p;roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961
what happens is everything after the above yellow highlighted part got encoded as below red highlighted.
http://192.168.0.134/%252Freports%252Flaunch.w3p%253Broiid%253Ddma%253A%252F45e6b900-8929-11d4-b772-0050da06bfb4%252F7bd350da-c9ee-4565-8000-2cbc18041961
Is it possible to write a rewrite rule which can retain this "roiid=dma%3A%2F%2F%2F45e6b900-8929-11d4-b772-0050da06bfb4%2F7bd350da-c9ee-4565-8000-2cbc18041961" for the URL ?
You can try this rule:
<rule name="test1" stopProcessing="true">
<match url="(.*)" /> <conditions> <add input="{HTTP_HOST}" pattern="192.168.0.134" /> <add input="{REQUEST_URI}" pattern="^/reports/launch.w3p;(.*)$" /> </conditions> <action type="Redirect" url="http://192.168.0.134/{C:1}" /> </rule>Best regards,
Sam
Tuesday, May 18, 2021 9:57 AM