问题描述

我们遇到在那里当URL有任何部分结尾我们的应用程序失败的问题'。在里面';我们不能避免这种由于功能要求。建议的解决办法是把在web.config文件relaxedUrlToFileSystemMapping。我们想知道是否有使用这种方法的任何潜在的安全风险。

We are having an issue where our application fails when the url has any part ending with '.' in it'; we can't avoid this due to functional requirements. The suggested solution is to turn on relaxedUrlToFileSystemMapping in web.config file. We would like to know if there are any potential security risks with this approach.

感谢

失败的URL fomrat：

fomrat of failing url: http://server.com/path1/krishnakk./path2

它返回404错误。

推荐答案

尽管这个问题是七个月大，这里是万一有人回答其他人遇到这样的情况。

Even though this question is seven months old, here's an answer in case anyone else comes across a situation like this.

关于这个问题的一部分，安全性，默认情况下 relaxedUrlToFileSystemMapping 设置为false，和ASP .NET假设URL的路径部分是一个有效的NTFS文件路径。如果通过设置禁用此 relaxedUrlToFileSystemMapping 为真，那么你可能会打开你的网站进行攻击，因为你通过禁用ASP .NET提供的默认保护。

Regarding the security part of the question, by default relaxedUrlToFileSystemMapping is set to false, and ASP .NET assumes that the path portion of a URL is a valid NTFS file path. If you disable this by setting relaxedUrlToFileSystemMapping to true, then you are potentially opening your site up to attack because you're disabling the default protection provided by ASP .NET.

如果您确实需要 relaxedUrlToFileSystemMapping 的应用程序的需求的约束下设置为true，你也应该确保你的验证所有网址的。

If you absolutely need to set relaxedUrlToFileSystemMapping to true you should also be sure that you validate all URLs within the constraints of your application's requirements.

这篇关于任何潜在的安全风险通过打开relaxedUrlToFileSystemMapping允许有一部分与结尾的网址，设置'。“的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！