Programmatically check for canonicalization issues with ASP.NET
Programmatically check for canonicalization issues with ASP.NET
INTRODUCTION
This article describes how to add more safeguards to an ASP.NET application to help protect against common canonicalization issues.MORE INFORMATION
What is canonicalization?
Canonicalization is the process by which various equivalent forms of a name can be resolved to a single standard name, or the "canonical" name. For example, on a specific computer, the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process by which such names are mapped to a name that is similar to c:\dir\test.dat.When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. For more information about canonicalization, visit the following Microsoft Web site:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh04.asp
We recommend that you use best practices to help safeguard your applications. For additional information, see the following section.Adding additional canonicalization safeguards to your Web application
Microsoft ASP.NET developers can add more checks to help reduce canonicalization issues for a Web application by adding an Application_BeginRequest event handler in their Global.asax file that is stored in the root directory of the Web application. This event handler executes for each Web request and is a convenient location to insert code to help safeguard against canonicalization issues.Code sample
The following samples demonstrate how to add an Application_BeginRequest event handler to a Global.asax file. The event handler helps protect against invalid characters and malformed URLs by performing path verifications to help protect against common canonicalization issues.Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>
Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
Disclaimer
The information that is provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.The information in this article applies to:
- Microsoft ASP.NET (included with the .NET Framework 1.0)
- Microsoft ASP.NET (included with the .NET Framework 1.1)
- Microsoft .NET Framework 1.0
- Microsoft .NET Framework 1.0 SP1
- Microsoft .NET Framework 1.0 SP2
- Microsoft .NET Framework 1.0 SP3
- Microsoft .NET Framework 1.1
- Microsoft .NET Framework 1.1 Service Pack 1 (SP1)
浙公网安备 33010602011771号