- 本站大部分内容从网上收集,收集目的仅供研究、学习。涉及版权或不希望收录您的文章请您及时与我联系。
- 本站IM群,请自行选择。请各位朋友按照自己喜好加入。加入群后请及时发言,防止被清理。谢谢您的合作!!!
- QQ群:Y①WEB开发(ASP.NET)号码:7351660 QQ群:Y②WEB开发(ASP+.NET)号码:11864905
- QQ群:Y③WEB开发(DIV+CSS)号码:16610506 QQ群:Y④WEB开发(JS+AJAX)号码:16143998
- QQ群:Y⑤WEB开发(新手)号码:12777715 MSN群:yaosansi[at]126.com
Server Error in Application www.yaosansi.com
Internet Information Services 7.0
在使用IIS7.0过程中发现如上错误,查了一下资料,说IIS7.0拒绝+号.
IIS7 rejecting URLs containing +
解决方法在上面的IIS7.0 Things you can try已经说的很明白了.
RESOLUTION
Note After you follow these steps, the security level of the server that is running IIS may be reduced. Therefore, before you set the allowDoubleEscaping property to True, consider the risk that is involved.
| 1. | Click Start, type Notepad in the Start Search box, right-click Notepad in the Programs list, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type your password, or click Continue. |
| 2. | On the File menu, click Open, type %windir%\System32\inetsrv\config\applicationHost.config in the File name box, and then click Open. |
| 3. | In the ApplicationHost.config file, locate the requestFiltering XML element. |
| 4. | Change the value of the allowDoubleEscaping property to True. To do this, use code that resembles the following example code. |
| 5. | On the File menu, click Save. |
| 6. | Exit Notepad. |
那么为什么IIS7.0默认要这么处理+号呢?
IIS7 rejecting URLs containing + 中详细的解释了这个原因,以下是原文.
Here is the deal. The IIS7 request filter rejects URLs containing + characters. We do this because the + character is a dangerous choice. Some standards, e.g. the CGI standard require +'s to be converted into spaces. This can become a problem if you have code that implements name-based rules, for example urlauthorization rules that base their decisions on some part of the url.
Here is a cooked up example:
Let's suppose you have code that evaluates the following rule:
<authorization vdir="my vdir">
<allowed users="Administrators"/>
</authorization>
With the ambiguity of leaving +'s in place or converting +'s to spaces there is a possiblity that your rule engine allows access to a non-Admin, for example if the attacker enters http://myserver/my+vdir. The "my vdir" authorization rule won't match because your authorization code searches for the string "my+vdir" but your rule says "my vdir". Your rule won't apply and the attacker gets access.
If you absolutely want to have spaces you can simply turn off the doubleEscaping feature for your application, for your site or for the whole server. Here is an example:
%windir%\system32\inetsrv\appcmd set config "Default Web Site" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true
订阅本站,阅读更多文章
