Why does IIS Express consider this URL has a double escape sequence?

Question

http://localhost:8084/views/mask17/Part/MOTOR.SUB_MOTOR.112/Cl.1%20DIV.2%20Gr.%20C%2BD

The last part of the path is unencoded

Cl.1 DIV.2 Gr. C+D

Background: SPA frontend and .NET Core WebAPI backend.

One controller has this declaration

    [HttpGet]
    [Route("/views/maske17/Part/{NodeId}/{DataId}")]
    public virtual IActionResult InfoGet([FromRoute][Required] string NodeId, [FromRoute]string DataId)

Error

Calling the above URL causes

HTTP Error 404.11 - Not Found
The request filtering module is configured to deny a request that contains a double escape sequence.

If I remove the encoding for the + between C and D the error does not happen

Questions

Why does IIS Express consider this URL has a double escape sequence?
Which part of the encoded path is the "double escape sequence"?

Did my answer below answer your question? – Thomas Barnekow Mar 23 '20 at 08:49 — Thomas Barnekow, Mar 23 '20 at 08:49

score 1 · Answer 1 · answered Mar 20 '20 at 17:12

1

In your case, the + is the culprit. You provide a %2B, which is decoded twice, i.e., via the + character into a space character.

Have a look at this question and this GitHub issue for further details.

answered Mar 20 '20 at 17:12

Thomas Barnekow

2,059
1
12
21

Why does IIS Express consider this URL has a double escape sequence?

1 Answers1