I'm using ASP.NET 4.5 and have the following routing rule in my Global.asax file:
RouteTable.Routes.MapPageRoute("defaultRoute", "{*value}", "~/default.aspx")
What I'm trying to accomplish is redirecting dynamically generated URLs that are formatted like this:
http://myurl.com/firstnamelastname
Here is what one might actually look like:
http://myurl.com/davemackey
My problem is that the above redirects all requests - e.g. to axd or jpg files. Now I could add exclusions for every other type of file like so:
RouteTable.Routes.Ignore("{resource}.axd/*pathInfo}")
But this would be error prone and tedious (e.g., what happens if someone adds another file type to the project?).
So, what I'd like to do is something like this:
RouteTable.Routes.MapPageRoute("defaultRoute", "{*value}(where no suffix)", "~/default.aspx")
Or, put into my clear English:
If URL does not have a suffix, then redirect using defaultRoute to ~/default.aspx
Any thoughts on how to accomplish this?
==
Update:
I found this MSDN article. It seems that using Constraints might work to implement what I am speaking of above...but I'm not exactly sure how...
==
Update 2:
I've got a passable solution for the moment. I added the following:
RouteTable.Routes.Ignore("{path}/{value}")
Since image and other files are kept in sub-directories, this forces them to be excluded. Still, I have two concerns with this
What if the path is longer than a single sub-directory, e.g. images/people/person.jpg?
What if a file is placed into the main root (shouldn't be, but it could happen) that is a jpg or etc.?
Related
After the research published showing that .aspx routes are vulnerable to reflected XSS, what is the recommended alternative to using Page.ResolveUrl or Control.ResolveUrl? The linked article doesn't suggest any mitigations.
Summary of the linked research:
For .aspx pages (not MVC), even if you don't have cookieless sessions enabled, ASP.NET still parses those "special" URL formats such http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx
it includes them in the page output whenever you use ResolveUrl.
Thus it creates an attack vector where a call like ResolveUrl( "~/Images/logo.png" ) will inject content of the attacker's choice into your page output, e.g.
/(S("onerror="alert`1`"))/Images/logo.png`
I've posted one possible answer below but am looking for better ideas.
Note that ResolveClientUrl is not a direct replacement since it generates a relative Url, e.g. ../Images/logo.png unlike ResolveUrl which generates a root Url e.g. /myapp/Images/logo.png
One approach is to use HttpRuntime.AppDomainAppVirtualPath instead of the special tilde syntax. So the example from above...
Instead of:
ResolveUrl( "~/Images/logo.png" )
We would have:
HttpRuntime.AppDomainAppVirtualPath.TrimEnd( '/' ) + "/Images/logo.png"
Slightly less concise but seems to accomplish the same thing without invoking the ancient "cookieless" route parsing.
Use ResolveClientUrl instead of ResolveUrl.
ResolveClientUrl will not allow XSS.
I have a URL say /Registration/GetName.aspx/?language=English
When i click on a Asp.net Button on the same Page and say Response.Redirect("CheckLoginName.aspx");
It gives me a weird URL
/Registration/GetName.aspx/CheckLoginName.aspx
What should i do
Please Help?
You should use "~/" inside your Redirect
So your code will look something like this
Response.Redirect("~/CheckLoginName.aspx");
Hope this helps
You should remove the trailing / before the query string, since it serves no purpose. Your URL should be /Registration/GetName.aspx?language=English. Another option is to have Response.Redirect("../CheckLoginName.aspx"); This should also work.
I think a solution using a relative path is better, since it is location independant. If you move these two files to another URL, there will be no need for code changes.
i have a web application and all of its images are relative path,
for example '../../images/logo.png',
i need to change all of the images in the application to another domain,
for example : 'static.domain.com/images/logo.png'
is there a fast way to change all the data ?
of course the long option is to iterate all images and change them manually,
Replace all occurrences manually
Use custom image class, inherited from System.Web.UI.WebControls.Image, to make possible configuration of behavior regarding image path
In general you should encapsulate relative paths to resources in a code block, like this (using an ASP.NET MVC example as my classic ASP.NET skills are gettting rusty):
<%= Url.Content( "~/images/logo.png" ) %>
To map them to a different path than the default, you can either define a custom route that matches all *.png files (and any other used formats) or introduce your own helper extensions so that you can rewrite the above to something like this:
<%= Url.Static( "~/images/logo.png" ) %>
The easiest is like #TBohnen.jnr said
Why don't you do a find and replace
(ctrl + H) and replace "../../images/"
with 'static.domain.com/images/' risky
but should be the easiest?
you can write a httmhandler for handling .png files, and change their address there.
another way is to press ctrl+f and find and replace ../../ with your new address in entire solutions which takes a minute.
I'm trying to build up a proper routing scheme for my products section in MVC 2. I've got the following criteria:
Links of the format
/Products/(MX[0-9]+) and /Products/(BDL[0-9A-Z_])
Need to route to ProductsController.Show(Id = $1)
Links of the format
/Products/([a-zA-Z0-9/]+)
Example: http://www.mysite.com/Products/Cameras/Digital/
Need to route to ProductsController.List(Category = $1)
Then on top of this, I want links like
/Products/AddToCart/{1} to work normally.
So far I've been able to get the above two to work fine through a relatively hack-ish method (all past /Products/ is routed to show, where some conditional logic redirects to .List(Category) if the start of the input isn't MX or BDL
I'm not happy with the current implementation and am open to some help. Thank you in advance.
Use regular expression constraints for your routes and place them with AddToCart first, MX and BDL second, and the catch all products last. If you'd like even more control than that, you can create custorm routes.
I don't recall the syntax off the top of my head, but you can add regex constraints on your routes so that they route to different places.
I'm trying to retrieve the value of myID from my URL.
I'm testing this using <%=Request.QueryString["hotelid"] %>.
It only works the first time the page is loaded either in a new browser, or if my project has been rebuild.
My URL string is typical: http://my/path/to/site/?hotelid=2.
If I try <%=Request.QueryString %>, I'm also getting other values as well. Values I do not see inthe URL string.
What am I missing here?
Update:
Using <%=Request.RawUrl%>, I get the following results:
/Util/NotFound.aspx?404;http://localhost/en/Tjenester/Hotellguiden-2/Hotel-informasjon/?hotelid=3
I have NO idea what the /Util/NotFound.aspx?404 is or where it comes from.
My URL looks like this:
http://localhost/en/Tjenester/Hotellguiden-2/Hotel-informasjon/?hotelid=2
Update 2:
I'm currently investigating if it is EPiServer CMS that is using some kind of caching.
Update 3:
I have solved it. EPiServer is using EPnCachePolicyTimeout which isset to 1 hour. Setting this to 0 (zero) solved my problem.
Sometimes is really helps just writing aboutthe problem here, talking "aloud" about it and voila :)
You need to turn off caching or add your parameter names to the config attribute httpCacheVaryByParams or overwrite the custom caching key method and make it diff on every querystring parameter.