Allow colon (:) in URL for ASP.NET Core in IIS/Azure

2
votes

I've got an ASP.NET Core app that I'm deploying to Azure that takes in a string in the URL that contains colon (a time stamp).

For example: http://localhost:5000/Servers/208.100.45.135/28000/2017-03-15T07:03:43+00:00, or http://localhost:5000/Servers/208.100.45.135/28000/2017-03-15T07%3a03%3a43%2B00%3a00 URL-encoded.

This works perfectly fine when running locally using Kestrel (dotnet run), but after deploying to Azure I receive this error: The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

A quick search reveals that it's due to invalid characters being used in the URL, namely the colon. The traditional fix is to add this section to web.config:

 <system.web>
     <httpRuntime requestPathInvalidCharacters="" />
 </system.web>

However, after adding this to my web.config on Azure, I observe no change. I imagine this is due to differences in ASP.NET Core's hosting model.

Here is my current web.config:

<configuration>
    <system.web>
        <httpRuntime requestPathInvalidCharacters=""/>
        <pages validateRequest="false" />
    </system.web>
    <system.webServer>
        <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
        </handlers>
        <aspNetCore processPath="dotnet" arguments=".\Server.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false" />
    </system.webServer>
</configuration>

And the relevant controller header...

[HttpGet]
[Route("{serverIpAddress}/{serverPort}/{approxMatchStartTimeStr}")]
public IActionResult GetMatchEvents(string serverIpAddress, string serverPort, DateTimeOffset approxMatchStartTimeStr)
{
    ...
}

How can I get IIS/Azure to allow the colon character in URLs?

1
asp.netazureiisasp.net-core
That's a colon, not a comma, and it's technically invalid in the path portion of a URL per RFC 3986. They should be URL-encoded (%3A), which should stop that warning from appearing, and they should be automatically decoded when you read in the query string parameters in your application.Adrian
D'oh, total brainfart on 'comma' vs 'colon'. Unfortunately, trying a URL that has URL encoded colon characters results in the same error. Tested with /Servers/208.100.45.135/28000/2017-03-15T07%3a03%3a43%2B00%3a00.Hayden McAfee

1 Answers

4
votes

The issue you're running into isn't related to the colon (:) in the path, it's really the plus (+) that IIS doesn't like. It doesn't matter if the plus is encoded as "+" or "%2B". You have two options:

  1. Move the plus/DateTimeOffset from the path to the query string where IIS doesn't mind it.
  2. Configure the IIS request filtering module to "allowDoubleEscaping".

Example web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering allowDoubleEscaping="true" />
        </security>
        <handlers>
            <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
        </handlers>
        <aspNetCore processPath="dotnet" arguments=".\Server.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false" />
    </system.webServer>
</configuration>

The system.web section of your current web.config isn't relevant to ASP.NET Core.