404.11 错误 IIS7 当URL rewrite 含有+号

http://www.ifinity.com.au/Blog/EntryId/60/404-Error-in-IIS-7-when-using-a-Url-with-a-plus-sign-in-the-path

Why get 404 errors with +?

The reason that this doesn't work on IIS 7.0 is that Microsoft decided to tighten up on what's legal and what's not, and implement the Url standards more strictly, for security reasons.

Solution to the Problem

The long term solution is to include a choice of space-encoding in the relevant modules, but that will take some time to implement.

The short term solution is from this blog posting:

IIS 7.0 Breaking changes for ASP.NET 2.0 applications in Integrated Mode

Here's the relevant excerpt from the page, which shows the workaround/fix.

Request limits and URL processing

The following changes result due to additional restrictions on how IIS processes incoming requests and their URLs.

11) Request URLs containing unencoded “+” characters in the path (not querystring) is rejected by default

You will receive HTTP Error 404.11 – Not Found: The request filtering module is configured to deny a request that contains a double escape sequence .

This error occurs because IIS is by default configured to reject attempts to doubly-encode a URL, which commonly represent an attempt to execute a canonicalization attack.

Workaround :

1) Applications that require the use of the “+” character in the URL path can disable this validation by setting the allowDoubleEscaping attribute in the system.webServer/security/requestFiltering configuration section in the application’s web.config.  However, this may make your application more vulnerable to malicious URLs:

<system.webServer>

    <security>

            <requestFiltering allowDoubleEscaping="true" />

    </security>

</system.webServer>

note: from envykok

if url rewrite setting at domian level : then we need to update ApplicationHost.config (file path : %windir %/system32/inetsrv/config)

if url rewrite setting at application level : then we only need to update web.config