Asp.Net MVC: Allow the `DEL` character in URL

Question

I have Asp.Net MVC application (.NET Framework 4.8) with Web API controller and I need to allow the DEL character (ASCII character 127, HX is %7F) in action's parameter in that controller. (In general I need to allow pretty much all ASCII characters from 32 to 127 but / and \).

My controller

public class ManagementController : ApiController
...
[HttpPost]
[Route("management/{paramater?}")]
public async Task<IHttpActionResult> Post(string paramater = null)
{
}

In web.config, there is changed a list of invalid characters, since <, >, & and other characters can be present in value for parameter

<system.web>
  <httpRuntime targetFramework="4.8" requestPathInvalidCharacters="\" />
</system.web>

Also double escaping is allowed to enable plus + sign (yeah, it is considered dangerous setting) and added ManagementUrlHandler-Integrated-4.0 handler to allow . in URL

<system.webServer>
  <security>
    <requestFiltering allowDoubleEscaping="true" />
  </security>
  <handlers>
    <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
    <remove name="OPTIONSVerbHandler" />
    <remove name="TRACEVerbHandler" />
    <add name="ExtensionlessUrlHandler-Integrated-4.0"
         path="*."
         verb="*"
         type="System.Web.Handlers.TransferRequestHandler"
         preCondition="integratedMode,runtimeVersionv4.0" />
    <add name="ManagementUrlHandler-Integrated-4.0"
         path="/management/*"
         verb="POST"
         type="System.Web.Handlers.TransferRequestHandler"
         preCondition="integratedMode,runtimeVersionv4.0" />
  </handlers>
</system.webServer>

Currently, when parameter contains percent-encoded reserved characters (e.g. !, *, :, +, etc. and others like .), routing works correctly and controller's action is getting expected parameter value (e.g. request is issued to URL http://localhost/management/012345%2A and parameter value is 012345* in controller's action).

However when parameter contains DEL character in percent-encoded form %7F (e.g. request is issued to URL http://localhost/management/012345%7F), IIS returns Bad Request

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML>

<HEAD>
    <TITLE>Bad Request</TITLE>
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii">
</HEAD>

<BODY>
    <h2>Bad Request - Invalid URL</h2>
    <hr>
    <p>HTTP Error 400. The request URL is invalid.</p>
</BODY>

</HTML>

Could you please advise on how to allow DEL character in URL in Asp.Net MVC application?

UPDATE RFC https://www.rfc-editor.org/rfc/rfc3986 does not specify DEL character as Reserved Character or Unreserved Character. However DEL character can be part of a URL in Asp.Net Core applications. Unfortunately this project cannot be moved to Asp.Net Core due to technical restrictions

Answer 1

Here is an example where %7F will not work: (try it!)

https://stackoverflow.com/%7F

And here is an example where %7F will work: (try it!)

https://stackoverflow.com/?parameter=%7F

So change your code to:

public class ManagementController : ApiController
...
[HttpPost]
public async Task<IHttpActionResult> Management(string parameter = null)
{
}