How to programmatically test for canonicalization issues with ASP.NET

Article translations Article translations
Article ID: 887459 - View products that this article applies to.

Disclaimer

The information that is provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages. Therefore, the foregoing limitation may not apply.
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes how to add safeguards to an ASP.NET application to help protect against common canonicalization issues.

MORE INFORMATION

What is canonicalization?

Canonicalization is the process that determines how various equivalent forms of a name are resolved to a single standard name. The single standard name is also known as the canonical name. For example, on a specific computer, the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process that maps such names to a name that is similar to c:\dir\test.dat.

When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. For more information about canonicalization, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa302420.aspx
We recommend that you use best practices to help safeguard your applications. For additional information, see the following section.

Adding additional canonicalization safeguards to your Web application

Microsoft ASP.NET developers can add more checks to help reduce canonicalization issues for a Web application by adding an Application_BeginRequest event handler in their Global.asax file that is stored in the root directory of the Web application. This event handler executes for each Web request. You can add code to this event handler to help safeguard against canonicalization issues.

Code sample

The following code samples demonstrate how to add an Application_BeginRequest event handler to a Global.asax file. This event handler helps prevent invalid characters and malformed URLs by performing path verifications. Therefore, you can avoid common canonicalization issues.

Global.asax code sample (Visual Basic .NET)

<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
    If (Request.Path.IndexOf(chr(92)) >= 0 OR _
        System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
        Throw New HttpException(404, "Not Found")
    End If
End Sub
</script>

Global.asax code sample (C#)

<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf('\\') >= 0 ||
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
        throw new HttpException(404, "not found");
    }
}
</script>

Properties

Article ID: 887459 - Last Review: December 3, 2007 - Revision: 2.5
APPLIES TO
  • Microsoft ASP.NET 1.0
  • Microsoft ASP.NET 1.1
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 Service Pack 1
  • Microsoft .NET Framework 1.0 Service Pack 2
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.1 Service Pack 1
Keywords: 
kbsecurity kbtshoot KB887459

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com