Re: IIS6 - allow "<" and ">" sign in URL's
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 09/06/04
- Next message: Jim Frankland: "New Application Extension reports 404"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 simple asp site : How to set impersonate to false"
- In reply to: Jochen Kiefer: "Re: IIS6 - allow "<" and ">" sign in URL's"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 5 Sep 2004 17:00:41 -0700
Sorry, I'm not aware of any HTTP.SYS configuration to allow <> in the URL.
I can file a compatibility bug asking for such an option.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Jochen Kiefer" <jochen.kiefer@nospam.hp.com> wrote in message news:O0zCEuYkEHA.524@TK2MSFTNGP15.phx.gbl... Hello David, thank you for your response. The problem is that this application is not self developed, it comes like this out of the box. Since we need a fast solution I am searching for a way to temporary disable this security setting in IIS6. It's very clear that as a long term solution the application needs to be changed. I was just wondering if there is maybe a (undocumented) registry setting for http.sys that would allow requests that contain these characters. Thank you, Jochen "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:%235Y2XOYkEHA.3476@tk2msftngp13.phx.gbl... > The question is not about "IIS6 disallowing <> characters in URLs". > > For security reasons, URL are checked more thoroughly on IIS6 for > conformance to public HTTP-related RFCs. Applications that depend on the > "borderline" characters (that are neither explicitly allowed nor explicitly > denied by RFCs) should expect "borderline" behavior since it's not protected > by a specification. Just because IIS5 allows a certain URL doesn't mean > IIS6 should -- lots of changes have happened in IIS6/Windows Server 2003 due > to security implications. > > If you want "<" or ">" to pass-thru unchallenged, then you should pass it in > the querystring, which is defined as opaque application data and thus can be > any octet. Or maybe even header values, which are also application data. > URL and "PathInfo" (courtesy of CGIs) is a part of the URL namespace that > web server must parse to determine action, and thus it is open for security > inspection. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jochen Kiefer" <jochen.kiefer@nospam.hp.com> wrote in message > news:uzEaZhXkEHA.3392@TK2MSFTNGP15.phx.gbl... > Hi, > > does anybody know how I can tell IIS6 to accept URL's with a "<" or ">" sign > in > a URL ? With IIS6 default settings they are rejected with "400 Bad request - > URL" > > Same URL on IIS5 works without any problem. > > AllowRestrictedChars=1 didn't change the IIS6 behaviour. > > Thanks, > Jochen > > >
- Next message: Jim Frankland: "New Application Extension reports 404"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 simple asp site : How to set impersonate to false"
- In reply to: Jochen Kiefer: "Re: IIS6 - allow "<" and ">" sign in URL's"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
