How to ASP.NET MVC3 Route to accept any type of file (Dot in URL)

1.5k views Asked by At

ASP.NET MVC 2 Issue - Dot in Route gives an example to allow dot (.) in url and allow .svc file.

My question is, how to allow any kind of file, I tried:

<httpRuntime relaxedUrlToFileSystemMapping="true" />
<remove extension=".*"/>

Not working! What I want is: for any kind of URL (any chars) can processed by MVC3 Route(MapRoute).

2

There are 2 answers

0
Eric Yin On BEST ANSWER

here is the solution:

First: it will NOT cause security leak, if you visit /web.config, you will get

HTTP Error 404.8 - Not Found
The request filtering module is configured to deny a path in the URL that contains a hiddenSegment section.

Unless you change the hiddenSegment of course.

here is the solution, at web.config file:

<system.webServer>
    <handlers>
        <add name="Static-Favicon" path="favicon.ico" verb="GET" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
        <add name="Static-Robot" path="robots.txt" verb="GET" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
        <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
        <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
        <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
</system.webServer>

Static-Favicon and Static-Robot can be removed, if you like your MVC handle these two files as well.

Btw, you still need the <remove extension=".svc" /> to handle svc file, and relaxedUrlToFileSystemMapping for special codes in url

4
Erik Funkenbusch On

That's a very very very bad idea. You want people to be able to download your web.config? see your passwords? download your database? IIS and MVC deliberately block many kinds of extensions because not doing so is highly insecure.