ASP.NET MVC: RouteLink from Area to Root throw Exception

Question

We have an ASP.NET MVC 3 WebApp with an area for administration (areaname = 'admin').

On a page (Razor => Index.cshtml) in the admin-area I call:

@Html.RouteLink("Preview", Resources_Blog.Route_Name_StaticPages, new { pagename = page.Slug, area = "" }, new {target = "_blank", Request.Url.Scheme})

The Route is declared in the global.asax like this:

routes.MapRoute(
            Resources_Blog.Route_Name_StaticPages, // Routename
            Resources_Blog.Route_Url_StaticPages + "/{pagename}", // URL with parameters
            new { controller = "Home", action = "Page", page = UrlParameter.Optional, area = "" }, // Defaults
            new[] { "My.Namespace.Controllers" }
        );

Resources are:

Route_Name_StaticPages = "StaticPages" 
Route_Url_StaticPages  = "static"

When the page is rendered or should be rendered I get this Exception:

System.Web.HttpException (0x80004005): Cannot use a leading .. to exit above the top directory.
at System.Web.Util.UrlPath.ReduceVirtualPath(String path)
at System.Web.Util.UrlPath.Reduce(String path)
at System.Web.HttpResponse.ApplyAppPathModifier(String virtualPath)
at System.Web.Routing.RouteCollection.NormalizeVirtualPath(RequestContext requestContext, String virtualPath)
at System.Web.Routing.RouteCollection.GetVirtualPath(RequestContext requestContext, String name, RouteValueDictionary values)
at System.Web.Mvc.RouteCollectionExtensions.GetVirtualPathForArea(RouteCollection routes, RequestContext requestContext, String name, RouteValueDictionary values, Boolean& usingAreas)
at System.Web.Mvc.UrlHelper.GenerateUrl(String routeName, String actionName, String controllerName, RouteValueDictionary routeValues, RouteCollection routeCollection, RequestContext requestContext, Boolean includeImplicitMvcValues)
at System.Web.Mvc.UrlHelper.GenerateUrl(String routeName, String actionName, String controllerName, String protocol, String hostName, String fragment, RouteValueDictionary routeValues, RouteCollection routeCollection, RequestContext requestContext, Boolean includeImplicitMvcValues)
at System.Web.Mvc.HtmlHelper.GenerateLinkInternal(RequestContext requestContext, RouteCollection routeCollection, String linkText, String routeName, String actionName, String controllerName, String protocol, String hostName, String fragment, RouteValueDictionary routeValues, IDictionary`2 htmlAttributes, Boolean includeImplicitMvcValues)
at System.Web.Mvc.Html.LinkExtensions.RouteLink(HtmlHelper htmlHelper, String linkText, String routeName, RouteValueDictionary routeValues, IDictionary`2 htmlAttributes)

Unfortunatly the exception is only thrown on the livesystem not on developsystem so I can not really debug it. It is an IIS 7.

I also tried to call the RouteLink-methode without the area-parameter also throws the exception:

Html.RouteLink("Preview", Resources_Blog.Route_Name_StaticPages, new { pagename = page.Slug, area = "" }, new {target = "_blank", Request.Url.Scheme})

Another try was calling RouteUrl but it also failed:

<a target="_blank" href="@Url.RouteUrl(Resources_Blog.Route_Name_StaticPages, new { pagename = page.Slug })">@Resources_Administration.Pages_StaticPage_Show</a>

Could someone help us out?

Is it an IIS-Configuration-issue or area-misconfiguration?

Answer 1

"Solved" the problem.

A VA-Test succeded in injecting a slug that contained "\\..\\..\\..\\..\\..\\..". So that exception was thrown correctly.