IIS 7 Bad Request response when %0A exists in the URL
I have an application that was supposed to accept unsafe characters from Salesforce. They are %0A and %0D (so far...) and they're not working.
I've开发者_开发技巧 set allowDoubleEscaping
to true
, requestValidationMode
to 2.0
, requestPathInvalidCharacters
to BLANK
, relaxedUrlToFileSystemMapping
to true
and maxRequestLength
to 1024
.
It didn't work. Then I tried setting a custom error for 400 to redirect to the same page without passing it the data Salesforce was sending. Also didn't work.
Then I tried doing the same through the IIS 7 Error Pages section and it still didn't work.
How can I:
- Get the app to accept the characters?
- Or get the app/IIS to redirect to the same page for manual entry?
All of this is in an ASP.NET MVC 3 application, but I doubt that matters because its probably IIS stopping it before it even calls the ASP.NET runtime.
I'd appreciate some help. Thanks in advance!
Where you probably want to look is in the IIS Manager, click on your server node (or website node), an find the Request Filtering
icon. Go to the URL
tab and here you can either allow specific URL's always, or change the way URL filtering is handled in general. I'm sure these setting are also avaialble under the section of the web.config file, but I dont know off hand what all the settings elements and attributes would be (I'm sure you could do a search and find them easily).
You may have to fight past ASP.NET after you fix this as well.
Check your URLScan config. http://learn.iis.net/page.aspx/476/common-urlscan-scenarios/
Do you happen to have this listed in your [DenyUrlSequences] section?
Maybe it's a little too late but for me it worked by changing the configured exceptions using the AllowRestrictedChars registry setting ( as documented in https://support.microsoft.com/en-us/kb/820129). The default value is 0, I changed it to 1. If nonzero, Http.sys accepts hex-escaped chars in request URLs that decode to U+0000 – U+001F and U+007F – U+009F ranges.
精彩评论