HTTP Module intercept requests and breaks custom errors configuration

回眸只為那壹抹淺笑 提交于 2019-12-11 02:22:40

问题


I have an ASP.NET MVC 5 web application which runs locally on IIS 8.5 and after deployment, on Azure Websites - on both cases, the behavior that will be later described is the same.

I configured in the web.config the following custom errors page management (it covers all my cases of custom errors and it has been tested and it's working great):

<system.webServer>
  <httpErrors errorMode="Custom" existingResponse="Replace">
    <clear />
    <error statusCode="400" responseMode="ExecuteURL" path="/App/Error"/>
    <error statusCode="403" responseMode="ExecuteURL" path="/App/Error/Forbidden" />
    <error statusCode="404" responseMode="ExecuteURL" path="/App/Error/NotFound" />
    <error statusCode="500" responseMode="ExecuteURL" path="/App/Error" />
  </httpErrors>
</system.webServer>

Also, I have an HTTP Module configured in the same web.config like this:

<system.webServer>
<modules>
  <add name="ImageProcessorModule" type="ImageProcessor.Web.HttpModules.ImageProcessingModule, ImageProcessor.Web" />
 </modules>
</system.webServer>

The issue that I have is like this: if I'm making a request to a strange URL like .../c<, the application executes the 500 custom error path as instructed in the web.config file. But, if I'm making a request to a stranger URL (to simulate an html tag) like .../<c, though the resulted error is 500, the custom error is not executed anymore, because accordingly to the detailed error, the HTTP Module intercept the call and "decides" to just show a YSOD...

The message that I get is:

A potentially dangerous Request.RawUrl value was detected from the client (="/App/

And is easy to see that this is caused by the webmodule because of the stacktrace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.RawUrl value was detected from the client (="/App/d__10.MoveNext() +201 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84 System.Web.TaskAsyncHelper.EndTask(IAsyncResult ar) +98 System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +434 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288

If I'm commenting out the Image Processor Module from the web.config, everything runs as expected.

Why in this case, the custom error path doesn't get executed?

Thank you for your time and answers.


回答1:


I very strongly suspect this is a bug in Image Processor.

The exact same issue was reported in Client Dependency (a module for Umbraco) which, while completely unrelated, is similar in that it was accessing Context.Request.RawUrl at the same stage of the request pipeline.

You have two options:-

  1. Find a way to set runAllManagedModulesForAllRequests="false" without impacting the behaviour of your http modules

  2. See if you can submit a patch to https://github.com/JimBobSquarePants/ImageProcessor/blob/f4080c3217107eb7a571eb69e54cc5e69e1c892c/src/ImageProcessor.Web/HttpModules/ImageProcessingModule.cs to use Request.Unverified.RawUrl instead of Request.RawUrl



来源:https://stackoverflow.com/questions/30075396/http-module-intercept-requests-and-breaks-custom-errors-configuration

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!