2

I have implemented search functionality to look for data with a (part of a) code as search criteria, which includes a . (dot) in the value, so it should be possible to include that in the search criteria.

Consider url:

myhost/api/search/88.

Out of the box, without doing anything extra, that will result in a 404 error. While, not surprisingly, the url works fine if I remove the dot.

I found this as possible answer on StackOverflow:

<system.web>
     <httpRuntime relaxedUrlToFileSystemMapping="true" />
</system.web>

Question

This does the trick, but I am not sure if this is the best solution. I mean, having a relaxed url mechanism is fine if it's otherwise harmless, but I wouldn't want to have trouble with other chars that would cause more damage than the dot I want now. Maybe I'm opening the door to hell just for this fix...

Can I trust this solution or is there a safer alternative?

Community
  • 1
  • 1
Spikee
  • 3,967
  • 7
  • 35
  • 68

1 Answers1

1

If the value being passed into the URL is a search term that can be entered by the user, I wouldn't configure my routing system to handle these values because they are unpredictable.

You should encode the string and pass it through the query string or post it and bind it to an object in WebAPI.

In terms opening the door to hell I think that you should consider the points raised in this question. If you have to set something like relaxedUrlToFileSystemMapping which is something that appears to relax some of the default security systems of ASP.NET MVC I'd tend to lean towards a solution that doesn't rely on a change like this.

Community
  • 1
  • 1
Luke
  • 22,826
  • 31
  • 110
  • 193
  • Luckily a user tampering with URLs isn't an issue because they can't, it runs in a WPF browser (it's not a public site). Still, I'll look into encoding! – Spikee Oct 27 '15 at 08:47
  • It's a fair point, but anyone can make a dodgy HTTP request to an end point. I'm still looking at other things online to see if I can add a bit more to this. :) – Luke Oct 27 '15 at 08:57
  • The Web API will implement authentication and be idiot-proofed, so I'd personally give that low priority. Thanks for the info though! – Spikee Oct 27 '15 at 10:05