I've installed the patch and added the necessary entry to the UrlScan.ini to deny the ?aspxerrorpath= query string variable.
However, this has caused every error to cause a redirect loop because ?aspxerrorpath= is still being added to every error page that gets thrown.
How can I tell IIS to stop adding this query string to the error pages? It's causing the redirect loop ... consider this scenario:
<div style="background-color: transparent; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; " mce_style="background-color: transparent; font-family: 'Times New Roman'; font-size: small; margin: 0px;">The
default behavior is to send the user to the /Error?aspxerrorpath=/originalpath
Customer requests a page that doesn't exist
They get the 404 page and are sent to /Error?aspxerrorpath=/some-404-path
BUT then the ?aspxerrorpath= query string is being denied by the UrlScan feature
The
UrlScan feature, detects this and then sends the user to /Rejected-By-UrlScan
But
there is no Controller or Page located at /Rejected-By-UrlScan, so it sends to another error, which is
/Error?aspxerrorpath=/Rejected-By-UrlScan
But then once again, the ?aspxerrorpath= query string is included in the request and it sends them to the
same page again -- causing the redirect loop
</div>
I've run the check script that Scott Gu posted and my sites are configured correctly as far as custom error pages and not having separate error statuses go to different pages.
One way to fix this, I guess, is to add "aspxerrorpath=/Rejected-By-UrlScan" to the [AlwaysAllowedQueryStrings] header.
At least then it won't do the redirect loop. I thought maybe it would be better to just remove the automatic addition of ?aspxerrorpath= query string all together. I'm just not sure if this is possible.
mase
Member
3 Points
65 Posts
Redirect Loop on the patch with MVC 2
Oct 14, 2010 02:59 PM|mase|LINK
I've installed the patch and added the necessary entry to the UrlScan.ini to deny the ?aspxerrorpath= query string variable.
However, this has caused every error to cause a redirect loop because ?aspxerrorpath= is still being added to every error page that gets thrown.
How can I tell IIS to stop adding this query string to the error pages? It's causing the redirect loop ... consider this scenario:
<div style="background-color: transparent; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; " mce_style="background-color: transparent; font-family: 'Times New Roman'; font-size: small; margin: 0px;">The default behavior is to send the user to the /Error?aspxerrorpath=/originalpath- Customer requests a page that doesn't exist
- They get the 404 page and are sent to /Error?aspxerrorpath=/some-404-path
- BUT then the ?aspxerrorpath= query string is being denied by the UrlScan feature
- The
UrlScan feature, detects this and then sends the user to /Rejected-By-UrlScan
- But
there is no Controller or Page located at /Rejected-By-UrlScan, so it sends to another error, which is
- But then once again, the ?aspxerrorpath= query string is included in the request and it sends them to the
same page again -- causing the redirect loop
</div>/Error?aspxerrorpath=/Rejected-By-UrlScan
I've run the check script that Scott Gu posted and my sites are configured correctly as far as custom error pages and not having separate error statuses go to different pages.
mvc2 security Application_Error
mase
Member
3 Points
65 Posts
Re: Redirect Loop on the patch with MVC 2
Oct 14, 2010 04:24 PM|mase|LINK
One way to fix this, I guess, is to add "aspxerrorpath=/Rejected-By-UrlScan" to the [AlwaysAllowedQueryStrings] header.
At least then it won't do the redirect loop. I thought maybe it would be better to just remove the automatic addition of ?aspxerrorpath= query string all together. I'm just not sure if this is possible.
JoeReynolds
Member
25 Points
312 Posts
Re: Redirect Loop on the patch with MVC 2
Jul 05, 2011 10:55 AM|JoeReynolds|LINK
Mase, have you ever sorted all this out? I'm seeing the same issue.