14

I'd like to block requests to any .php or .cgi regardless of the pathing information.

For example, when the following url is used:

http://mysite/Admin/Scripts/Setup.php

It matches an existing route:

routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });

However there is no controller for scripts so MVC throws the following:

The IControllerFactory '' did not return a controller for a controller named 'scripts'.

What I'd really prefer is that the request is simply met with a hard fail before MVC ever got to the controller.

I know that I can do this by hooking the Application_BeginRequest in the Global.asax and throwing a new HttpException(404, "Not Found") but that's not quite the elegant solution I'm looking for.

I was really hoping that this would work:

routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");

But it doesn't.

NOTE: Sean Lynch's answer works great but I still would really like a System.Web.Routing or System.Web.Mvc based solution. That way I can allow my users to add their own exclusions at runtime.

Doug Wilson
  • 4,185
  • 3
  • 30
  • 35
  • This isn't an answer but I would certainly play around with Phil Haack 's route debugger. http://haacked.com/archive/2008/03/13/url-routing-debugger.aspx It will let you know what route takes whatever url you are testing. Also I would look into disabling existing file mapping – MarkKGreenway Oct 08 '09 at 18:32

4 Answers4

16

I know this is an old post but if you're looking for an ignore route for php requests (and some others) including requests within sub folders then I have found the code below works well (adapted from the ignore routes post from Phil Haack)

I also added a specific ignore route for the occasional apple touch icon request (using a wildcard for the different dimensions) and allowed for the different file extensions for the favicon (Google toolbar and some other browsers look for png and gif favicons).

Of course you could add an ignore route for all image file extensions but in my case I still want to route some of the other requests. 

routes.IgnoreRoute("{*allphp}", new { allphp = @".*\.php(/.*)?" });
routes.IgnoreRoute("{*allcgi}", new { allcgi = @".*\.cgi(/.*)?" });
routes.IgnoreRoute("{*allaspx}", new { allaspx = @".*\.aspx(/.*)?" });

routes.IgnoreRoute("{*favicons}", new { favicons = @".*favicon\.(ico|gif|png)(/.*)?" });
routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-.*\.png(/.*)?" });

Despite having these ignore routes, I still think that using request blocking for php files is preferable if you have access to do it.

Community
  • 1
  • 1
robmzd
  • 1,813
  • 3
  • 20
  • 37
  • 4
    Just a little note about the apple-touch-icon, the RegEx to use should be `routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-?.*\.png(/.*)?" });` because your version wasnt excluding the apple-touch-icon.png – Alexandre Jobin Feb 13 '12 at 16:44
10

If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:

http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

Update here is what you would put into your web.config in the system.webserver section:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
Sean Lynch
  • 1,604
  • 19
  • 29
  • 1
    I second that. Use the AbortRequest action type and the request will never get any further. – Mark Bell Oct 08 '09 at 17:53
  • Can URL Rewrite module rules be added from within my application, or from within the application directory on the disk or must I use IIS Manager to configure them? – Doug Wilson Oct 08 '09 at 18:19
  • You can define the rules in the web.config of your application, so don't need to use IIS Manager to configure them. However, I am not sure of the exact XML that would be used though. I don't have access to IIS Manager right now to try it out. – Sean Lynch Oct 08 '09 at 18:58
  • But I have done it was the path rewriting, and just copied the web.config up. – Sean Lynch Oct 08 '09 at 18:59
  • I have added the code for the web.config that IIS Manager generated. – Sean Lynch Oct 08 '09 at 19:40
  • I have investigated this and I like it. In the process I also looked at the Request Filtering module and I actually like that better. It's much simpler to configure and highly effective. I'm not 100% sure but it may even run earlier in the pipeline than the URL Rewrite module. – Doug Wilson Oct 08 '09 at 19:42
  • This answer works great but I would really like a System.Web.Routing or System.Web.MVC solution to this. – Doug Wilson Oct 08 '09 at 19:49
  • Well, after a few days of messing around with other approaches I like this one the best, by far! It's convenient, not messy, doesn't require a recompile (well, outside of what ASP.NET does on it's own) and built-in (so well supported). I haven't figured out if I can programmatically add new rules on the fly, but that's not a critical requirement. – Doug Wilson Oct 14 '09 at 17:02
0

I found How to ignore route in asp.net forms url routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.

If the .php requests are not going through the routing handler then this probably wouldn't work.

Community
  • 1
  • 1
Sean Lynch
  • 1,604
  • 19
  • 29
0

You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.

Mouffette
  • 732
  • 1
  • 7
  • 19