0

I have an ASP.NET MVC application hosted in web server with URL http://10.26.14.99/projectA i.e. environment1 and same application is hosted in another web server with URL https://projectA.test.com i.e. environment2.

Now, for environment1 when I enter http://10.26.14.99/projectA/../../../../test it is showing the URL as http://10.26.14.99/test with 404 "File or Folder not found" error but at the same time for environment2 when if i enter https://projectA.test.com/../../../../test then it is showing the URL as https://projectA.test.com/test and it also takes me to the login page which is expected.

Can anyone please tell me what need to be done in environment1 to get the same expected result as the environment2?

Ashley Medway
  • 7,151
  • 7
  • 49
  • 71
Navin Ranjan
  • 31
  • 3
  • Please clarify what you mean when you say "when I enter [the URL]". In the browser? In a view? Where are you entering it? – NightOwl888 Oct 17 '17 at 16:25

2 Answers2

0

In ASP .NET MVC you can give paths using ~ tilde, to mean the application route.

So you might have for example in your razor, cshtml file.

<a href="~/test">test link</a>

Your issue is when you are testing locally you are using a virtual application. So to many .. is taking you outside the path of your application.

See here for how ~ works in a MVC application.

Alternatively, if you are happy with your URL paths then you need to change the way your site is hosted to not serve from a virtual application. However, then you would only be able to host one app per IP Address.

Ashley Medway
  • 7,151
  • 7
  • 49
  • 71
  • This is a kind of application security check for directory traversal attack. I am using "~" or @Html.Content() for any relative path, but in case user type the URL as "10.26.14.99/projectA/../../../../test"; then i want it to redirect to either the custom error page or should redirect user to the login page. In current scenario i am getting the 404 error – Navin Ranjan Oct 18 '17 at 06:13
  • Yeah so in the instance where you go outside of projectA site, you need to be doing something in the default IIS site. – Ashley Medway Oct 18 '17 at 06:16
  • That's what i am trying to find out if there is some setting or flag at IIS level that will solve this issue but i didn't got any thing. Please let me know if you have anything. – Navin Ranjan Oct 18 '17 at 07:00
  • You could set 404 error handling in the web.config to redirect but you wouldn’t know which application it came from. Probably the best thing to do would be to put an index.html in the default site which says whatever message you want to display – Ashley Medway Oct 18 '17 at 07:19
0

Don't use relative url's in ASP.NET MVC. They will break, because pages can be accessed from different URL's due to default URL mapping. For instance, http://example.com/ , http://example.com/Home , and http://example.com/Home/Index can all point to the same page, and the since images and other assets are accessed from the url, you would somehow need an asset to be able to be accessed from all three.

It's better to use site relative url's, using the tilde (~) as mentioned by Ashley. In more recent versions of MVC (using Razor version 3 or greater) these url's are supported directly in href and src attributes, but in some cases you may have to use the @Html.Content() helpers.

The only exception to this is URL's that are in CSS. It's ok to use relative URL's in CSS because CSS URL's are relative to the CSS files location, so that works just fine.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • This is a kind of application security check for directory traversal attack. I am using "~" or @Html.Content() for any relative path, but in case user type the URL as "http://10.26.14.99/projectA/../../../../test" then i want it to redirect to either the custom error page or should redirect user to the login page. In current scenario i am getting the 404 error. – Navin Ranjan Oct 18 '17 at 06:13
  • 404 is the correct response. Web servers should act like such url's don't exist. – Erik Funkenbusch Oct 18 '17 at 20:36
  • Yes, as per server response 404 is correct. But, i want to handle this scenario to show some user friendly message. How can i do that? – Navin Ranjan Oct 20 '17 at 06:21