This article describes how to add safeguards to an ASP.NET application to help protect against common canonicalization issues.
Back to the top
What is canonicalization?
Canonicalization is the process that determines how various equivalent forms of a name are resolved to a single standard name. The single standard name is also known as the
canonical name. For example, on a specific computer, the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process that maps such names to a name that is similar to c:\dir\test.dat.
When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. For more information about canonicalization, visit the following Microsoft Web site:
We recommend that you use best practices to help safeguard your applications. For additional information, see the following section.
Back to the top
Adding additional canonicalization safeguards to your Web application
Microsoft ASP.NET developers can add more checks to help reduce canonicalization issues for a Web application by adding an
Application_BeginRequest event handler in their Global.asax file that is stored in the root directory of the Web application. This event handler executes for each Web request. You can add code to this event handler to help safeguard against canonicalization issues.
Back to the top
Code sample
The following code samples demonstrate how to add an
Application_BeginRequest event handler to a Global.asax file. This event handler helps prevent invalid characters and malformed URLs by performing path verifications. Therefore, you can avoid common canonicalization issues.
Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>
Global.asax code sample (C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
Back to the top
