We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

4.6.1 to 4.7RSS

2 replies

Last post Mar 04, 2019 03:26 PM by Revathi Mudupalli

  • 4.6.1 to 4.7

    Mar 01, 2019 04:25 PM|Revathi Mudupalli|LINK

    Hi,

    We converted our APIs from 4.6.1 to 4.7.

    We were using the following settings in our web.config to allow certain characters in url parmeters.

    <httpRuntime targetFramework="4.6.1" relaxedUrlToFileSystemMapping="true" requestValidationMode="2.0" requestPathInvalidCharacters="" />

    <requestFiltering allowDoubleEscaping="true" />

    These settings appear to be not working anymore after we converted from 4.6.1 to 4.7.

    Is there a way to fix this? What are the recommendations?

    Thanks

  • Re: 4.6.1 to 4.7

    Mar 04, 2019 05:26 AM|Jalpa Panchal|LINK

    Hi,

    Try below code to restrict some character which you don't want to allow.If possible use IIS 10 which is latest version.

    <httpruntime requestvalidationmode="2.0">
    requestPathInvalidCharacters="*,:,&,\"
    relaxedUrlToFileSystemMapping="true"
    /></httpruntime>

    You could also prefer below article for more detail:

    https://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx

    Regards,

    Jalpa.

    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: 4.6.1 to 4.7

    Mar 04, 2019 03:26 PM|Revathi Mudupalli|LINK

    Hi,

    I am using IIS 10.0

    If I send https://localhost/Gateway/api/users/%2567/patients, it decodes it and shows as https://localhost/Gateway/api/users/g/patients.

    If I send https://localhost/Gateway/api/users/%2512/patients, it shows as https://localhost/Gateway/api/users/%12/patients

    Thanks