A potentially dangerous Request.Path value was detected from the client

2
votes

I am at a complete loss for why I am getting this error. The typical cause of this error has to do with trying to submit HTML markup into a text string or something similar but I'm not doing anything like that. The page I think this is happening on takes in a simple email address.

Here is my model with validation...

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [RegularExpression(@"^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})$", ErrorMessage = "{0} must be a valid email address")]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}

Here are my script references because the error seems to be in the Scripts directory...

<script src="@Url.Content("~/Scripts/jquery-1.5.2.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/jquery.validate.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.unobtrusive-ajax.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/modernizr-1.7.min.js")" type="text/javascript"></script>

My best guess is that someone is maliciously entering some invalid script into the email address but I'm not seeing any errors in Elmah or CodeSmith Insight that points to any of my code. I can't even figure out where exactly this is happening.

And here are the errors...

A potentially dangerous Request.Path value was detected from the client (:). (/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g)

System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:). at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication+PipelineStepManager.ValidateHelper(HttpContext context)

Illegal characters in path.

System.ArgumentException: Illegal characters in path. at System.IO.Path.CheckInvalidPathChars(String path) at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str) at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList) at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path) at System.Web.InternalSecurityPermissions.PathDiscovery(String path) at System.Web.HttpRequest.get_PhysicalPath() at WebsitePanel.IIsModules.SecureFolders.context_OnEnter(Object sender, EventArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

at System.IO.Path.CheckInvalidPathChars(String path) at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str) at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList) at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path) at System.Web.InternalSecurityPermissions.PathDiscovery(String path) at System.Web.HttpRequest.get_PhysicalPath() at WebsitePanel.IIsModules.SecureFolders.context_OnEnter(Object sender, EventArgs e) at System.Web.HttpApplication+SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

UPDATE - POSSIBLE RESOLVED After racking my brain more on this I saw "WebsitePanel.IIsModules.SecureFolders" in the stack trace and that jarred my memory. I remember seeing something about secure folders on my hosting provider. This feature is buried in their control panel which would make sense based on the method. I emailed them and asked them to disable the module. It hasn't occurred for a few days so I suspect that was it.

3
jquerymodel-view-controllerasp.net-mvc-3
That regular expression for validating emails is incorrect. To mention just one flaw, it doesn't accept + in the first part of the email address.icktoofay
@icktoofay Do you have an example that would be an invalid email address but my current logic would say is valid?oliwa
I was actually saying it was rejecting valid email addresses (like example+test@gmail.com), but your regular expression accepts aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@a.com, yet it's an invalid email address. The specific problem there (local part longer than 64 characters) is easy to fix in the regular expression, but the recommended option is to use an email parser that follows the RFC rather than using a regular expression, as that's not the only problem.icktoofay
You may be correct that there is a validation hole in my regular expression and as far as I have read simply making the data type EmailAddress as suggested by @binobita will not wire up validation for me. That datatype only has a benefit with HTML5 compatible browsers. I appreciate the help so far and I think you both make valid points but neither one will fix the exceptions that I'm getting on the server.oliwa
I don't think this is server side. I've been getting similar errors, and I run php. The javascript is from jQuery, see their source. I have no clue why this happens yet, but maybe we can find something that our servers/websites have in common? (Also see this question with the same problem.)Lode

3 Answers

1
votes

As the Exception says there is illegal characters in the request path, more specifically the colon character is not ok (:) = "A potentially dangerous Request.Path value was detected from the client (:). "

Your request seems to contain:

"(/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g"

A potentially dangerous Request.Path value was detected from the client (:). (/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g)

System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:). at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication+PipelineStepManager.ValidateHelper(HttpContext context)

Illegal characters in path.

0
votes

Looks like you are not validating email address before it is submitted on the client side. You can use the below code to validate email address. At the same time set a maxlength attribute to email input fields.

function validateEmail(email) 
{ 
 var re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\
".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA
-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ 
 return email.match(re) 
}

if(!validateEmail($("#emailAddress).val()){
     alert("Invalid email address");
}
0
votes

ASP.NET MVC already have DataType attribute. You can use this instead of Regular Expression

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [DataType(DataType.EmailAddress)]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}