How do I block requests for all *.php, *.cgi, etc. pages from inside an ASP.NET MVC 1.0 app hosted in IIS7?

5.9k views Asked by At

I'd like to block requests to any .php or .cgi regardless of the pathing information.

For example, when the following url is used:

http://mysite/Admin/Scripts/Setup.php

It matches an existing route:

routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });

However there is no controller for scripts so MVC throws the following:

The IControllerFactory '' did not return a controller for a controller named 'scripts'.

What I'd really prefer is that the request is simply met with a hard fail before MVC ever got to the controller.

I know that I can do this by hooking the Application_BeginRequest in the Global.asax and throwing a new HttpException(404, "Not Found") but that's not quite the elegant solution I'm looking for.

I was really hoping that this would work:

routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");

But it doesn't.

NOTE: Sean Lynch's answer works great but I still would really like a System.Web.Routing or System.Web.Mvc based solution. That way I can allow my users to add their own exclusions at runtime.

4

There are 4 answers

8
Sean Lynch On BEST ANSWER

If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

Update here is what you would put into your web.config in the system.webserver section:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
0
Mouffette On

You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.

1
robmzd On

I know this is an old post but if you're looking for an ignore route for php requests (and some others) including requests within sub folders then I have found the code below works well (adapted from the ignore routes post from Phil Haack)

I also added a specific ignore route for the occasional apple touch icon request (using a wildcard for the different dimensions) and allowed for the different file extensions for the favicon (Google toolbar and some other browsers look for png and gif favicons).

Of course you could add an ignore route for all image file extensions but in my case I still want to route some of the other requests.

routes.IgnoreRoute("{*allphp}", new { allphp = @".*\.php(/.*)?" });
routes.IgnoreRoute("{*allcgi}", new { allcgi = @".*\.cgi(/.*)?" });
routes.IgnoreRoute("{*allaspx}", new { allaspx = @".*\.aspx(/.*)?" });

routes.IgnoreRoute("{*favicons}", new { favicons = @".*favicon\.(ico|gif|png)(/.*)?" });
routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-.*\.png(/.*)?" });

Despite having these ignore routes, I still think that using request blocking for php files is preferable if you have access to do it.

0
Sean Lynch On

I found How to ignore route in asp.net forms url routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.

If the .php requests are not going through the routing handler then this probably wouldn't work.