Error with dot (.) character in URL

Question

I having a issue when i click to edit a user with this url in a ASP.NET MVC 3 project: http://domain.com:8089/User/EditUser/username.surname?IDUser=e11a621p-df11-4687-9903-8bfc33c922cf

If i get another user without the '.' character, it works fine.

The error:

HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

I tried some tips that i find here, like:

  <system.webServer>
  <modules runAllManagedModulesForAllRequests="true"/>

and:

 <system.web>  
<httpRuntime relaxedUrlToFileSystemMapping="true" />

and this attribute on the edituser action:

   [ValidateInput(false)]

But nothing seems to work. This site is hosted on a IIS server, when it was on Windows Azure WebSite, it was working as expected.

Thanks.

Try escaping the dot with `%2E`: `http://domain.com:8089/User/EditUser/username%2Esurname?IDUser=e11a621p-df11-4687-9903-8bfc33c922cf` — D Stanley, Aug 21 '14 at 14:49
See http://stackoverflow.com/questions/2831142/asp-net-4-url-limitations-why-url-cannot-contain-any-3f-characters - try setting a `requestPathInvalidCharacters` value on ``. Here, we use `""` - but note: you need to be a little careful; I seem to recall this was quite awkward to get working (and keep working) for us, though — Marc Gravell, Aug 21 '14 at 14:57
@MarcGravell Maybe not (was just a guess) but it may prevent the runtime from trying to interpret it as a file extension or some other meaning. — D Stanley, Aug 21 '14 at 14:59
@DStanley it can be done, though - [for example here](http://stackoverflow.com/tags/asp.net/info), which is MVC in IIS. — Marc Gravell, Aug 21 '14 at 15:01
@MarcGravell Thanks for your response, I have another question, if I deploy the same website with the same web.config to windows azure websites it works normal, do you know why? — gog, Aug 21 '14 at 16:38
@ggui because azure has different default configs :) not very helpful, I guess... — Marc Gravell, Aug 21 '14 at 17:14
Related post [here](https://stackoverflow.com/q/20998816/465053) and [here](https://stackoverflow.com/q/2087246/465053) — RBT, Oct 19 '17 at 02:08

score 3 · Answer 1 · edited May 23 '17 at 12:06

If you know for a fact that the edit page is the only page where you use the firstname.lastname url part, you can use the method described in this SO answer:

Prevent static file handler from intercepting filename-like URL

Specifically, in your case, adding the following web.config section should route the request to MVC:

<system.webServer>
  ...
  <handlers>
  ...
    <add 
      name="userEditPage" 
      path="User/EditUser/*" 
      verb="GET" 
      type="System.Web.Handlers.TransferRequestHandler" 
      preCondition="integratedMode,runtimeVersionv4.0" />

This will not be sufficient if you use the firstname.lastname in urls outside of the User/EditUser/... path, and is not a general solution. That would be much more complicated because you would need to tell IIS something like the following:

1) if the file exists, serve it (so that your .js files still serve properly)

2) Before any of the other handlers execute for the file extension, run the MVC handler and see if there is a route matching the url. Because what if you have a user of last name html?

3) If the MVC handler does not match any routes for the url, let the other handlers. Because what if you also had an .aspx page in your project?

Lastly, for the general case, you may want to consider the edge case of someone malicious creating a user with first name ../../web and lastname config? Just a thought, but it seems like the best you can hope for is restricting the use of the . in the url to specific paths.

Thanks for your response, I have another question, if I deploy the same website with the same web.config to windows azure websites it works normal, do you know why? — gog, Aug 21 '14 at 16:38
No idea, but it seems clear that it has to do with file extension mappings. Perhaps there are resources out there that go into detail about Azure's default handler mappings? — welegan, Aug 21 '14 at 17:58

score 0 · Accepted Answer · answered Aug 22 '14 at 14:02

After some headache, i publish it to Azure WebSites again and it works normally, with same web.config file that i was using in local enviroment. So the solution must be on the IIS, then after no more tries, i change the Application Pool to Default App Pool and guess what, it worked.

Error with dot (.) character in URL

2 Answers2

Linked