colon(:) in url causes error in asp.net

5.3k views Asked by At

I am creating a webAPI, and when i include a colon(:) in the request string,

http://localhost:49579/api/mycontroller/:

i get this error:

A potentially dangerous Request.Path value was detected from the client (:).
[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:).] System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +9673044 System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +53

I don't plan to include special characters in the actual requests for the api, but if some no-good user inputs special characters in the requests it would cause an error.

Question: How do i handle this error on the API side? Is there any way? Or should i just give the developers a note about this issue?

Note: I don't have controls over the future clients whose going to access the API. I am using Visual Studio 2012 for Web; .Net version 4.0; ASP.Net WebApi; and C#; I do think the code is unnecessary for my case, the Api works except for those certain special characters. But if you think otherwise, please do tell me what else you need to know.
Another Note: I'm not trying to find ways to allow it in a url, i'm just looking for ways to handle the error specifically.

3

There are 3 answers

2
Thomas Lielacher On

You could implement an ExceptionFilterAttribute. For example:

public class HttpExceptionFilterAttribute : ExceptionFilterAttribute
{
    public override void OnException(HttpActionExecutedContext actionExecutedContext)
    {
        if (actionExecutedContext.Exception is HttpException)
        {
            actionExecutedContext.Response = new HttpResponseMessage(HttpStatusCode.BadRequest);
        }
    }
}

This attribute can be used on an action method, a controller or globally. But don't forget to register this filter on startup. More details can be found here: Exception Handling in ASP.NET Web API.

3
Tom Chantler On

If you do want to allow it, try setting relaxedUrlToFileSystemMapping = true in your web.config.

<httpRuntime relaxedUrlToFileSystemMapping = "true" />

MSDN Link and here it is in context.

Alternatively, make this config change and then choose to return the relevant error message, or redirect them or whatever you want to do.

EDIT: If you just want to allow the colon in the request string for a single method you can always decorate that Action Method with [ValidateInput(false)] as explained in more detail in this answer of mine. This means that you don't need to downgrade your request validation in the web.config.

0
Yaugen Vlasau On

I would avoid strings in web pathes in their "end user" representation.

If you really need to pass the text would it help to pass it as a parameter of a POST request. This approch will work for sure for any strings

In case you have to do it over GET request please take care of some additional encoding/decoding logic that will help you step over Request.Path restriction. (here i mean a logic that will convert original string to some url-friendly string and on the controller side will de-code the url-friendly string to the original string). But honestly I do not beleve in this approach, because by decoding you migh get a string that will be misinterpreted after inserting it as a part of url.

In case your text is an entry of a "dictionary" on your server than I would add an integer Id field to the "dictionary" of your entities and use an entity ID as a parameter of your web.API.