254

I am receiving the rather self explanatory error:

A potentially dangerous Request.Path value was detected from the client (*).

The issue is due to * in the request URL:

https://stackoverflow.com/Search/test*/0/1/10/1

This url is used to populate a search page where 'test*' is the search term and the rest of the url relates to various other filters.

Is there an easy way to allow these special characters in the URL? I've tried modifying the web.config, to no avail.

Should I manually encode / decode the special characters? Or is there a best practice for doing this, I would like to avoid using query strings. - but it may be an option.

The application itself is a c# asp.net webforms application that uses routing to produce the nice URL above.

Sam Denty
  • 3,693
  • 3
  • 30
  • 43
  • 1
    Does your page have `ValidateRequest=false` at the top? – Neil Knight May 11 '11 at 15:53
  • I don't know for what reason the website was internally trying a redirection which was creating a URL like 'http://localhost/://localhost/myWebsiteName/' which was giving me the same error. I don't know why ASP.net pipeline considers it a dangerous request URL. – RBT Sep 28 '16 at 08:19

9 Answers9

348

If you're using .NET 4.0 you should be able to allow these urls via the web.config

<system.web>
    <httpRuntime 
            requestPathInvalidCharacters="&lt;,&gt;,%,&amp;,:,\,?" />
</system.web>

Note, I've just removed the asterisk (*), the original default string is:

<httpRuntime 
          requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,:,\,?" />

See this question for more details.

ΩmegaMan
  • 29,542
  • 12
  • 100
  • 122
Dave Transom
  • 4,085
  • 3
  • 21
  • 22
  • 6
    Any way to do this using an mvc attribute on an action so I don't have to turn this off for the entire app? Similar to this answer here: http://stackoverflow.com/a/1540976/298758 – longda May 30 '13 at 23:01
  • 6
    @longda: Perhaps try wrapping it with a element for the url you need. Using reflection would be reasonably simple from a global perspective, but I'm not sure about setting it on a per controller/action basis. Maybe start a question? – Dave Transom May 31 '13 at 04:20
  • It's just not working on ASP.net MVC project, receiving run process to determine layout in viewStart got this error: Illegal character in path. – QMaster Apr 20 '18 at 13:18
  • the default list etc. is described here: https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestpathinvalidcharacters?view=netframework-4.8 – rominator007 May 31 '22 at 13:58
107

The * character is not allowed in the path of the URL, but there is no problem using it in the query string:

http://localhost:3286/Search/?q=test*

It's not an encoding issue, the * character has no special meaning in an URL, so it doesn't matter if you URL encode it or not. You would need to encode it using a different scheme, and then decode it.

For example using an arbitrary character as escape character:

query = query.Replace("x", "xxx").Replace("y", "xxy").Replace("*", "xyy");

And decoding:

query = query.Replace("xyy", "*").Replace("xxy", "y").Replace("xxx", "x");
Guffa
  • 687,336
  • 108
  • 737
  • 1,005
  • 17
    The "xxx" "xxy" "xyy" game is pretty clever. You might want to elaborate on the logic behind that so as not to confuse readers. – SimpleVar Aug 28 '14 at 15:51
  • 3
    The request was to use it in the `PATH` and not in the querystring. – Hugo Delsing Mar 16 '15 at 15:32
  • I ran into the same scenario where one of my parameters was a URL. Even when properly URL encoded, I would get this error. I finally just base64 encoded the parameter (and decode in my api) which was much easier than trying to figure out what was going on. Probably a better choice that implementing your own replace routine as well. – SpokaneDJ Sep 16 '16 at 16:11
  • 2
    Can't you use `aa` <=> `a` and `ab` <=> `*` as a simpler encoding scheme? – Jesus is Lord Apr 19 '18 at 14:36
  • 1
    For now this saved me, Thanks, But in proper time I want to check this advise: https://stackoverflow.com/a/603962/1830909 and I'll be glade if hear your thought. – QMaster Apr 20 '18 at 15:13
  • Why not use some [Private Use Area](https://en.wikipedia.org/wiki/Private_Use_Areas) characters? A lot safer... – Mikael Dúi Bolinder Feb 19 '19 at 10:51
13

For me, I am working on .net 4.5.2 with web api 2.0, I have the same error, i set it just by adding requestPathInvalidCharacters="" in the requestPathInvalidCharacters you have to set not allowed characters else you have to remove characters that cause this problem. 

<system.web>
     <httpRuntime targetFramework="4.5.2" requestPathInvalidCharacters="" />
     <pages  >
      <namespaces>
     ....
 </namespaces>
    </pages> 
  </system.web>

**Note that it is not a good practice, may be a post with this parameter as attribute of an object is better or try to encode the special character. -- After searching on best practice for designing rest api, i found that in search, sort and paginnation, we have to handle the query parameter like this

/companies?search=Digital%26Mckinsey

and this solve the problem when we encode & and remplace it on the url by %26 any way, on the server we receive the correct parameter Digital&Mckinsey

this link may help on best practice of designing rest web api https://hackernoon.com/restful-api-designing-guidelines-the-best-practices-60e1d954e7c9

MNF
  • 687
  • 9
  • 13
9

You should encode the route value and then (if required) decode the value before searching.

Tejs
  • 40,736
  • 10
  • 68
  • 86
  • Thanks for your response. Do you mean effectivley doing a replace on items such as * and then replacing them back when you are reading it? –  May 11 '11 at 16:04
  • Can you show a code example of encoding and decoding the values? – Ciaran Gallagher Sep 28 '18 at 11:14
2

For me, when typing the url, a user accidentally used a / instead of a ? to start the query parameters

e.g.:

url.com/endpoint/parameter=SomeValue&otherparameter=Another+value

which should have been:

url.com/endpoint?parameter=SomeValue&otherparameter=Another+value

trykyn
  • 451
  • 2
  • 9
0

This exception occurred in my application and was rather misleading.

It was thrown when I was calling an .aspx page Web Method using an ajax method call, passing a JSON array object. The Web Page method signature contained an array of a strongly-typed .NET object, OrderDetails. The Actual_Qty property was defined as an int, and the JSON object Actual_Qty property contained "4 " (extra space character). After removing the extra space, the conversion was made possible, the Web Page method was successfully reached by the ajax call.

Bertha
  • 19
  • 1
  • 4
0

When dealing with Uniform Resource Locator(URL) s there are certain syntax standards, in this particular situation we are dealing with Reserved Characters.

As up to RFC 3986, Reserved Characters may (or may not) be defined as delimiters by the generic syntax, by each scheme-specific syntax, or by the implementation-specific syntax of a URI's dereferencing algorithm; And asterisk(*) is a Reserved Character.

The best practice is to use Unreserved Characters in URLs or you can try encoding it.

Keep digging :

Community
  • 1
  • 1
Roshana Pitigala
  • 8,437
  • 8
  • 49
  • 80
  • 3
    This error also occurs if the reserved character in the URL is percent-encoded, e.g., `%25` instead of `%`, so IIS may return this error for a perfectly valid URL. – Florian Winter Apr 25 '19 at 11:56
0

Try to set web project's server propery as Local IIS if it is IIS Express. Be sure if project url is right and create virual directory.

Burk
  • 2,969
  • 1
  • 23
  • 24
-1

I had a similar issue in Azure Data Factory with the : character.

I resolved the problem by substituting : with %3A

as shown here.

For example, I substituted

date1=2020-01-25T00:00:00.000Z

with

date1=2020-01-25T00%3A00%3A00.000Z
jeppoo1
  • 650
  • 1
  • 10
  • 23