Scott Hanselman

BUG?: Can't use an Asterisk (*) as a character when requesting a URL (page) from ASP.NET

January 26, '05 Comments [8] Posted in ASP.NET | DasBlog | HttpModule | Bugs
Sponsored By

File this in obscure. I'm trying to fix a bug filed against dasBlog where the guy has a Category in dasBlog called "WS-*"

He filed a bug saying that the CategoryView doesn't work, presumably because it has an asterisk. Now, I KNOW asterisks are allowed in values of querystrings, so this seemed weird to me.

Turns out he's using the UrlRewriting feature of DasBlog so he gets URLs like this:

http://localhost/DasBlog/CategoryView,category,WS-*.aspx

The idea is to fool search engines into thinking there are actual pages, instead of one page with an URL like:

http://localhost/DasBlog/CategoryView.aspx?category=WS-*

Here's where it gets weird. We use a thing called the UrlMappingModule to catch ALL requests (all the requests that are handled by ASP.NET) and then call app.Context.RewritePath(newPath) which routes, in this case, the request to CategoryView.

However, if an asterisk (*) appears anywhere IN THE (purported) FILENAME, ala CategoryView,category,WS-*.aspx then ASP.NET never hears about it, the HttpModule's BeginRequest never fires and I can't do crap about it. All I see is an HTTP 400 Bad Request.

So, without digging further, I can only assume that the ASPNET_ISAPI extension didn't think it was cool to pass the request on. Of course, when the * appears as a value int the QueryString, everything is cool.

What other component/filter/module upstream might be slapping this request down? I'm not running any thing special on this development box.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Wednesday, 26 January 2005 07:48:19 UTC
Cool. Thanks, Scott

"The guy" in your post will just rename his category from WS-* to WS-Splat ;-) No probs. However, the renaming portion is still a rather relative manual affair. Without touching on the content files, I need to re-assign all posts from WS-* to WS-Splat one-by-one manually.

Maybe this could be a new improved feature in 1.8 ? ;-)

Thanks a lot, Scott
Wednesday, 26 January 2005 08:03:35 UTC
Why not just FindInFiles and change the XML directly?
Wednesday, 26 January 2005 14:02:50 UTC
I'd take a guess here and say that IIS is probably rejecting the request because it does not refer to a valid file name, BUT ... If you try something like otherFile*.html you should get 404 Fil Not found, which tells me IIS actually tried to process the request without rejecting it. The same happens for someThingElse*.asp.
Only files with an asterisk and .aspx extensions showed this behavior for me, which leads me into thinking ASPNET_ISAPI is trying to do something else other than serving the file. This was even more interesting on my local box, where IE popped-up a user/password/domain dialog (for which even the local admin credentials failed), possibly indicating it was trying to perform a "DIR" or something like it...
I have nothing to support all this guessing, though.
Sergio Pereira
Wednesday, 26 January 2005 18:18:57 UTC
Any possibility that maybe the machine has been locked down and that URLScan is rejecting the character?
Aaron Robinson
Wednesday, 26 January 2005 18:20:41 UTC
I agree with Sergio - I only get the bad request for .aspx or .asmx extensions on the IIS5.0 and IIS5.1 boxes I tried it on. Both have .NET 1.1 installed. I tried using "*" with several other extensions and get 404. There's a KB article I found that might explain the wierd behavior:

FIX: "HTTP 400 - Bad request" error message in the .NET Framework 1.1
http://support.microsoft.com/default.aspx?scid=kb;EN-US;826437

All of the characters mentioned in the KB article (* % &) also give me a 400 error if URLScan is not installed. If URLScan is installed, it may block some of those characters (such as %) and give you a 404 error.
Wednesday, 26 January 2005 18:28:17 UTC
Aaron - No, I'm running this locally with no filters or UrlScan or anything in the way (that I can see).

Kevin - That article is definitely it. I can feel it. ;) Thanks for finding that.

My conclusion is that I'm not that interested in fixing this that I'm going to install a HotFix or messed with any "compatibility" flags.
Wednesday, 26 January 2005 20:45:29 UTC
That KB is exactly it. I tried on .NET 1.0 box and got the login pop-up I mentioned above. Then I switched the .Net version of the app to v1.1 and got the bad request message. Because this issue also manifests itself with the "%" character, it doesn't seem possible to escape the "*" or ":"... I guess dasBlog will have to validate all the user entered data that is used in re-written url paths to disallow those characters for now.
Sergio Pereira
Friday, 28 January 2005 04:17:20 UTC
No problem - glad I could help. I agree, any KB fix that requires me to contact Microsoft to get the patch has to be very very important for it to be worthwhile.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.