stackoom
  简体   繁体   中英

IIS 8.5 - 404 response when requests contains a tilde ('~')

 原文  2021-01-27 13:52:10       .net/ asp.net-core/ iis/ iis-8.5

Question

I'm having a problem with a request i send to my .net core web API.

The request contains a path variable with a tilde ('~') followed by a number. For example:

GET 'https://example.com/v1/Books/details/~0~~9600131~BookTitle'

The error is a 404 with message:

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

The weird part is that this request is working in our testing environment. This environment is almost identical to our production.

Are there any IIS settings I could check, that could explain these differences?

Edit : Seems like the problem is related to ~{Numeric Character}.

~2 doesn't work but

~~ or ~g works

IIS 8.5

1 answers

solution1
 0  2021-01-28 01:31:21

Unsafe:

Characters can be unsafe for a number of reasons. The space
character is unsafe because significant spaces may disappear and
insignificant spaces may be introduced when URLs are transcribed or
typeset or subjected to the treatment of word-processing programs.
The characters "<" and ">" are unsafe because they are used as the
delimiters around URLs in free text; the quote mark (""") is used to
delimit URLs in some systems. The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other
systems to delimit a URL from a fragment/anchor identifier that might follow it. The character "%" is unsafe because it is used for
encodings of other characters. Other characters are unsafe because
gateways and other transport agents are known to sometimes modify
such characters. These characters are "{", "}", "|", "", "^", "~" ,
"[", "]", and "`".

All unsafe characters must always be encoded within a URL. For
example, the character "#" must be encoded within URLs even in
systems that do not normally deal with fragment or anchor
identifiers, so that if the URL is copied into another system that
does use them, it will not be necessary to change the URL encoding.

Because tilde ('~') is insecure, IIS actively prevents this behavior at the core level. This is an active security measure that can minimize the attack surface.

You can refer to this link for more information about quoted paragraphs.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ONLY getting 404 error when C# / ASP.NET MVC app is online (IIS 8.5) when on Chrome IIS 8.5 recycles when new bindings are added IIS Slow response on POST requests 404 error when query string contains com1 for WebApi hosted on IIS 10 HTTP 404 when accessing .svc file in IIS SignalR website returns a 404 when deployed on IIS SubWebsite in Shared Server IIS 8.5 HttpModule in IIS 8.5 not being loaded Publishing to IIS 8.5 and error 502.5 IIS 8.5 400 Bad Request
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM