Hi there.

I have a .NET module that Handles .CustX files and performs some special processing.

The problem I'm running into is when I use the ampersand & in the file name, a BAD REQUEST error is thrown.

For example:
http://MyWebsite.com/You&Me.custx   will throw a BAD REQUEST error.
http://MyWebsite.com/You%26Me.custx   will throw the same error.

I think this is being rejected by the .NET engine, and not IIS6.

I'm actually encoding the ampersand into the %26 string, but the request still gets rejected.

Please see this has nothing to do with a QueryString issue, it's the ampersand in the actual file name.

The question is: Is there a way to use the ampersand in the URL, as shown in the examples above ?

I know there are several workarounds:
- Removing the ampersand.
- Replacing the ampersand.
- Hating the ampersand.

But I really want to know if there is a setting somewhere I can toggle for the .NET to start accepting the url encoded ampersand in the url.

Thanks for your help :)

Sincerely,
Agustin Garzon

http://dirk.net/2008/06/09/ampersand-the-request-url-in-iis7/

Applies to IIS6 as well.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters 

Thanks for your help.

Sincerely,
Agustin Garzon

I'm not sure if this applies in your situation, but a vanilla ampersand is actually illegal in XML, upon which ASP.NET is based.  For URLs in .aspx files, be sure to encode them with "&" 

OTOH, if you're seeing errors with incoming URLs with ampersands, does the request make it into the .NET page processing pipeline before being rejected?  If so, perhaps you could use URL rewriting as a work-around?

The request is rejected as a BAD REQUEST whatever the way you encode the ampersand.

Rejected: http://forums.asp.net/You%26Me.aspx
Rejected: http://forums.asp.net/You&Me.aspx
Rejected: http://forums.asp.net/You&Me.aspx

Click on those links to see what I mean.

The request never reaches the .NET page processing pipeline. The earliest point I was able to test was in the Application_BeginRequest, but the request never makes it through to that point.

I guess I'll have to use some sort of encoding to represent file names as something completely different when they contain ampersands in the URL.

I would like to know what other characters I should be aware of.

Not to mention the actual solution would be great too :)

Have a nice day,
Agustin Garzon

TheAgus:

Is there a setting somewhere I can toggle ON for the .NET to start accepting the encoded ampersand in the url?

The VerificationCompatibility value is that toggle.

Maybe you're running on a 64-bit server? In that case you should set the value in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\

It's not an encoding issue or related to XML (ASP.NET is not based on XML, really ), it's just one of those extra security measures that Microsoft has put in, since evil URLs have often been used as an attack vector.

From what I've seen, you should avoid ampersands, colons and percent signs.

You could perhaps just replace "&" with "and", and if you still want your files to be named with "&", you could use URL rewriting (in ASP.NET, not in IIS) to handle that. Or the exact opposite, perform the rewriting in IIS (using an ISAPI filter) before it reaches ASP.NET.

Hmm.  Interesting problem.  I don't have an answer for you, but here's a little info that might help.

Ampersands in URLs work fine in Cassini, so I don't think the filtering is happening at the ASP.NET level.

http.sys rejects requests that contain certain characters, although I don't think ampersand is among them.  See the following page for instructions on how to disable that check using the AllowRestrictedChars registry setting: http://support.microsoft.com/kb/820129/en-us

If you're running IIS 7, you might try turning off Modules to see if you can find one that's the culprit.

RickNZ:

Ampersands in URLs work fine in Cassini, so I don't think the filtering is happening at the ASP.NET level.

I believe it's in the ASP.NET ISAPI DLL, i.e the connector between IIS and ASP.NET.

Thanks a lot for your replies.

It's a Windows 2003 server, 32 bits.

I have added those keys but the problem persists.
DWORD AllowRestrictedChars with a hex value of 1, located on the root of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
DWORD VerificationCompatibility with a hex value of 1, located on the root of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET

Indeed, this issue doesn't affect the Cassini server.

I could replace the ampersand with the word and, but then I would have to check if a file exists with either the ampersand or the and word. If both exists... conflict.

Anyway, I can come up with a way to rewrite the troublesome filenames, with an MD5 hash perhaps.
But do you know what characters, other than the ampersand, would trigger the error ?

Thanks for your support.

Cordially,
Agustin Garzon.

TheAgus:

But do you know what characters, other than the ampersand, would trigger the error ?

Colons and percent signs are the other two valid URL characters that ASP.NET doesn't like.

Hmmm... thanks for sharing the finding.

I'm not sure if that hot fix would help with the ampersand and other special characters, and the error that hot fix addresses seems different to the plain Bad Request error.
That hotfix (nov 2007) should already be included in the latest .NET Service Pack.
I might test it in a virtual computer, but definitely wouldn't apply it in the actual server.

I'll perform some rewriting or encoding of file names when they contain special characters.

Thanks for your advice, I thought this would be a simpler one!

Sincerely,
Agustin Garzon

 It should be simple...

I just tried the VerificationCompatibility setting (only) on one of our Win2003/IIS6 servers and it worked as advertised.

1. Created a simple aspx named "Form&.aspx" and made sure the site ran with ASP.NET 2.0 settings and application pool
2. Accessed http://server/Form&.aspx
3. Got "Bad request"
4. Added the VerificationCompatibility DWORD
5. Restarted IIS (iisreset command)
6. Accessed http://server/Form&.aspx
7. Success

No luck.

Added the VerificationCompatibility DWORD on the root of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET and added it too on the root HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0

Restarted the server. Issue is still there: http://www.bluetonemedia.com/Test&.aspx

I'll implement the rewriting-filename encoding anyway.

Thanks for your help :)

Sincerely,
Agustin.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET. Added DWORD VerificationCompatibility = 1

And it worked like a charm on WIndows 64 bit, IIS 32 bit.