Handling "extra" params in ASP.Net MVC5 routing

Question

I have this path that I need to handle:

http://mpdev.website.com/Account/ExternalLogOn?LogonTicket=c3792319c8711a0dd465bbd6f6b31ea913b42db7&PID=1137565&ReturnUrl=/Home/CompReq?EC=151120TXAM

The ExternalLogon action in the Account Controller automatically logs the user in based on a check between the LogonTicket and the PID. Then it is supposed to redirect to the ReturnUrl.

How would I fix the /Home/CompReq route to handle the EC parameter and how to modify the Action in the Home Controller?

I have only one route in my RouteConfig:

public static void RegisterRoutes(RouteCollection routes)
{
    routes.IgnoreRoute("{resource}.axd/{*pathInfo}");

    routes.MapRoute(
        name: "Default",
        url: "{controller}/{action}/{id}",
        defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional }
    );
}

This link works perfectly but I know I don't have any params on it.

http://mpdev.website.com/Account/ExternalLogOn?LogonTicket=c3792319c8711a0dd465bbd6f6b31ea913b42db7&PID=1137565&ReturnUrl=/Home/MyInfo

Home Controller Action definition is like this:

public ActionResult CompReq(string eventcode)

ExternalLogon definition:

ExternalLogOn(string LogonTicket, int? PID, string User, string EC, String State, string ReturnUrl)

What does your ReturnUrl parameter of ExternalLogon action contains when you pass the path with the 'EC' part ? — Nicolas Boisvert, Oct 27 '15 at 20:50
Your action called 'ExternalLogon' probably has 3 input parameter; LogonTicket, PID and ReturnUrl right ? what does ReturnUrl contains when you call it with your problematic path ? — Nicolas Boisvert, Oct 27 '15 at 20:52
It contains what is supposed to be in there `/Home/CompReq?EC=151120TXAM` but then I get an exception: `A potentially dangerous Request.Path value was detected from the client (?).` — MB34, Oct 27 '15 at 20:55
well two solutions for you, either you try this http://stackoverflow.com/questions/14475913/url-routing-image-handler-a-potentially-dangerous-request-path-value or you could store into your database, next to your LogonTicket, the returnUrl value — Nicolas Boisvert, Oct 27 '15 at 20:57
Nothing stored in DB. I updated with ExternalLogon definition. — MB34, Oct 27 '15 at 21:00
Trying to set the requestPathInvalidChars in Web.config won't work as `<` is an invalid char in XML. — MB34, Oct 27 '15 at 21:07
Was able to set `requestPathInvalidCharacters="<,>,&,*,%,:,;,\,?,%"` but still got same exception as above. — MB34, Oct 27 '15 at 21:14

longchiwen · Accepted Answer · 2015-10-27T21:34:41.313

1

ReturnUrl value should be url encoded:

http://mpdev.website.com/Account/ExternalLogOn?LogonTicket=c3792319c8711a0dd465bbd6f6b31ea913b42db7&PID=1137565&ReturnUrl=%2FHome%2FCompReq%3FEC%3D151120TXAM

CompReq action should have same function parameter name as query parameter name:

public ActionResult CompReq(string EC)

ExternalLogon action should have proper parameters:

ExternalLogOn(string LogonTicket, int? PID, string ReturnUrl)

In ExternalLogOn you do a redirect to ReturnUrl param:

return Redirect(ReturnUrl);

edited Oct 27 '15 at 21:34

answered Oct 27 '15 at 21:23

longchiwen

822
6
11

You should have only one "?" char in url. That's why you should encode query parameters value (If you use UrlHelper methods to create url, MVC already handels that for you) – longchiwen Oct 27 '15 at 21:29
even URLEncoding the ? will cause the same exception. I have fixed it by moving the parameter into the first part of the URL, See the EC parameter in the ExternalLogon definition? – MB34 Oct 27 '15 at 21:51
just encoding '?' is not enough. you have to encode entire query parameter value: /Home/CompReq?EC=151120TXAM. If you open first url in my answer, do you still get "potentially dangerous value" exception? – longchiwen Oct 27 '15 at 22:01
As I stated, I've moved on, no more issue that I moved the EC parameter outside the ReturnUrl. – MB34 Oct 27 '15 at 22:05

Handling "extra" params in ASP.Net MVC5 routing

1 Answers1