Friday, October 19, 2018

ASP.NET WEB API : Invalid characters (>, <, *, space ) in WEB API URL

[HttpException]
at System.Web.Util.FileUtil.CheckSuspiciousPhysicalPath(String physicalPath)
at System.Web.CachedPathData.ValidatePath(String physicalPath)
at System.Web.HttpContext.ValidatePath()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

I recently encountered the exception for requested WEB API URL, which contains invalid character on ending of URL and business object has validation rule to validation order ID format but instead of validation error message, I got resource is not available error message.

URL : https://localhost/api/OrderStatus/OrderID/234234%20

then I started investigation and found that on runtime, by default IIS validates each request URL, if it finds any invalid character, it throw exception



HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly.

to disable the default url validation, i added and enabled the configuration setting ‘relaxedUrlToFileSystemMapping’ in web config. after this changes, i started getiing business validation error message – Input Parameter is invalid.

<system.web>
    <httpRuntime targetFramework="4.5.2" relaxedUrlToFileSystemMapping="true"  />   
  </system.web>

you can also include a list of invalid characters if request url contains any character which matches to given list, it throws exception, so in this way certain invalid you can allow to process it or for rest invalid character, you can stop and throw above exception

<httpRuntime targetFramework="4.5.2" relaxedUrlToFileSystemMapping="true"  requestPathInvalidCharacters="<,>,*,%,&,:,\,?" /> 

Thanks for Visiting!!

No comments:

SQL Server - Identify unused indexes

 In this blog, we learn about the index usage information (SYS.DM_DB_INDEX_USAGE_STATS) and analyze the index usage data (USER_SEEKS, USER_S...