find a location for property in a new city

Thursday, 28 February 2013

The request filtering module is configured to deny a request that contains a double escape sequence

In IIS 7.5 I have a site that contains a page that takes an encrypted part of a URL. This encrypted string includes a plus sign '+' which causes IIS to throw a "HTTP Error 404.11 - Not Found" error stating "The request filtering module is configured to deny a request that contains a double escape sequence."

The problem is that a + sign used to be acceptable in earlier versions of IIS so these URLs need to remain for legacy reasons. So, I need to make them allowed again in IIS.

The quick fix

This can be easily achieved with a simple web.config change:

<system.webServer>
    <security>
        <requestFiltering allowDoubleEscaping="true" />
    </security>
</system.webServer>

This allows URLs to contain this plus symbol '+'.

The warning

There are consequences to this which unsurprisingly are security related so please read Double Encoding to familiarise yourself with the risk for your situation. If it is a risk to you maybe the best solution is to redesign those URLs?

Follow britishdev on Twitter

3 comments:

  1. This evolution trumps normal route in produce price tag efficiencies excellent dissertation literature review!

    ReplyDelete
  2. I admit I have not been on this blog in a long time however it was joy to find it again. It is such an important topic and ignored by so many even professionals! I thank you for helping to make people more aware of these issues. Just great stuff as per usual!
    Tungsten wedding band

    ReplyDelete
  3. These kind of articles are always attractive and I am happy to find so many good point here in the post writing is simply great thanks for sharing.
    we buy houses fast

    ReplyDelete