404 Error in IIS 7 when using a Url with a plus (+) sign in the path

http://www.ifinity.com.au/Blog/EntryId/60/404-Error-in-IIS-7-when-using-a-Url-with-a-plus-sign-in-the-path

I recently had reported problems when using IIS7 that Urls with a + in the url were failing with 404 errors.  This was to do with the Url Master module, which often rewrites Urls to use a simple space encoding (+) rather than the messy (but still valid) %20 encoding.   Normally this is where you have a DNN module that uses a querystring value, where the querystring value gets incorporated into the path of the Url via Friendly Url generation.

As is often the case with errors, I have never heard of them and then within a week I'll get several reports of the same error, even when a particular problem has been 'in the wild' for a long period of time.  It's like the progression of systems across new technologies happens at a steady rate, so that very few people are a long way ahead and trying new things.

The problem occurs in Urls like this : www.mysite.com/my-page-name/key/value+with+spaces.aspx

This Url would be rewritten to this value : www.mysite.com/default.aspx?key=value+with+spaces

Note that with the Url Master module, while it can replace spaces in DotNetNuke page names to construct human friendly urls, it doesn't replace spaces in querystring values.  This is because the module waiting for the rewritten query string might not be expecting a change in the value, and you can't just stick hyphens in where a space is, and then remove them again.   If you did that, you'd eventually run into a case where a legitimate hyphen was removed from the query string.

Example of the Problem

To clarify the problem further, here's an example of how the problem shows up.  It involves two of my modules, the iFinity Tagger and the Url Master modules.

The Tagger module shows a listing of all tagged items when the Tag is requested in the query string, like this :

mysite.com/Tag-List/two+word+tag/

The '+' in the url is put there by the Url Master module, to make the Url look nice and simple, rather than the correct but frantically ugly:

mysite.com/Tag-List/two%20word%20tag/

If you're running your DotNetNuke install (or any asp.net application, for that matter) on IIS7, then you'll get an IIS 404.

Why get 404 errors with +?

The reason that this doesn't work on IIS 7.0 is that Microsoft decided to tighten up on what's legal and what's not, and implement the Url standards more strictly, for security reasons.

Solution to the Problem

The long term solution is to include a choice of space-encoding in the relevant modules, but that will take some time to implement.

The short term solution is from this blog posting:

IIS 7.0 Breaking changes for ASP.NET 2.0 applications in Integrated Mode

Here's the relevant excerpt from the page, which shows the workaround/fix.

Request limits and URL processing

The following changes result due to additional restrictions on how IIS processes incoming requests and their URLs.

11) Request URLs containing unencoded “+” characters in the path (not querystring) is rejected by default

You will receive HTTP Error 404.11 – Not Found: The request filtering module is configured to deny a request that contains a double escape sequence .

This error occurs because IIS is by default configured to reject attempts to doubly-encode a URL, which commonly represent an attempt to execute a canonicalization attack.

Workaround :

1) Applications that require the use of the “+” character in the URL path can disable this validation by setting the allowDoubleEscaping attribute in the system.webServer/security/requestFiltering configuration section in the application’s web.config.  However, this may make your application more vulnerable to malicious URLs:

<system.webServer>

    <security>

            <requestFiltering allowDoubleEscaping="true" />

    </security>

</system.webServer>