I have Asp.Net MVC application (.NET Framework 4.8) with Web API controller and I need to allow the DEL
character (ASCII character 127
, HX is %7F
) in action's parameter in that controller. (In general I need to allow pretty much all ASCII characters from 32 to 127 but /
and \
).
My controller
public class ManagementController : ApiController
...
[HttpPost]
[Route("management/{paramater?}")]
public async Task<IHttpActionResult> Post(string paramater = null)
{
}
In web.config
, there is changed a list of invalid characters, since <
, >
, &
and other characters can be present in value for parameter
<system.web>
<httpRuntime targetFramework="4.8" requestPathInvalidCharacters="\" />
</system.web>
Also double escaping is allowed to enable plus +
sign (yeah, it is considered dangerous setting) and added ManagementUrlHandler-Integrated-4.0
handler to allow .
in URL
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0"
path="*."
verb="*"
type="System.Web.Handlers.TransferRequestHandler"
preCondition="integratedMode,runtimeVersionv4.0" />
<add name="ManagementUrlHandler-Integrated-4.0"
path="/management/*"
verb="POST"
type="System.Web.Handlers.TransferRequestHandler"
preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Currently, when parameter
contains percent-encoded reserved characters (e.g. !, *, :, +, etc. and others like .
), routing works correctly and controller's action is getting expected parameter
value (e.g. request is issued to URL http://localhost/management/012345%2A
and parameter
value is 012345*
in controller's action).
However when parameter
contains DEL
character in percent-encoded form %7F
(e.g. request is issued to URL http://localhost/management/012345%7F
), IIS returns Bad Request
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii">
</HEAD>
<BODY>
<h2>Bad Request - Invalid URL</h2>
<hr>
<p>HTTP Error 400. The request URL is invalid.</p>
</BODY>
</HTML>
Could you please advise on how to allow DEL
character in URL in Asp.Net MVC application?
UPDATE
RFC https://www.rfc-editor.org/rfc/rfc3986 does not specify DEL
character as Reserved Character or Unreserved Character. However DEL
character can be part of a URL in Asp.Net Core applications. Unfortunately this project cannot be moved to Asp.Net Core due to technical restrictions
Here is an example where %7F will not work: (try it!)
And here is an example where %7F will work: (try it!)
So change your code to: