Debug ScriptBundle results in 404 if virtualPath parameter contains a dot

Xinyang Qiu

I spent some time debuging a ScriptBundle problem last Friday and want to share my experience.

The original code in a MVC project App_Start/BundleConfig.cs file:

Code Snippet
  1. bundles.Add(newScriptBundle(“~/bundles/jquery.signalR”).Include(
  2.             “~/Scripts/jquery.signalR-{version}.js”));

And in a cshtml file, the bundle is included as:

Code Snippet
  1. @Scripts.Render(“~/bundles/jquery.signalR”)

In local IIS Express debugging mode, I found no problem. So I deployed to Azure to see if project works in real server. And to my surprise, it reported an error that SignalR is not loaded. The following image from the IE F12 developer tools shows a 404 is returned when getting /bundles/jquery.signalR.

clip_image001

To find out if bundling works locally, I changed project configuration to release, and changed web.config debug=trueto debug=false. Then running the site on IIS Express returns the same 404 as well.

I did a few searches in Bing. First, I went to MSDN documentation on ScriptBundle. Nothing there except I saw the parameter is named as “virtualPath”.

Later I found a forum question talking about IIS Virtual directory won’t work if it has a dot in the name. I also found a stackoverflow question which answer says remove the dot but gave a non-convincing reason. So the solution is to remove the dot from virualPath parameter, and it worked!

Further search for reason shows that IIS by default rejected URLs that have dot in path for security reasons. For example, in URLScan.ini downloaded from http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-setup, it shows:

Code Snippet
  1. AllowDotInPath=0               ; If 1, allow dots that are not file
  2.                                ; extensions. The default is 0. Note that
  3.                                ; setting this property to 1 will make checks
  4.                                ; based on extensions unreliable and is
  5.                                ; therefore not recommended other than for
  6.                                ; testing.

 

In ISA server URLScan.ini documentation, it offers more explanation:

By default, this option is set to 0. If this option is set to 0, URLScan rejects any request that contains multiple periods (.). This prevents attempts to disguise requests for dangerous file name extensions by putting a safe file name extension in the path information or query string portion of the URL. For example, if this option is set to 1, URLScan might permit a request for http://servername/BadFile.exe/SafeFile.htm because it interprets it as a request for an HTML page, when it is actually a request for an executable (.exe) file with the name of an HTML page in the PATH_INFO area. When this option is set to 0, URLScan may also deny requests for directories that contain periods.

In summary, looks like for all the MVC/WebAPI routing, don’t put dot in any virtual path to avoid the above problem.

 

Update on 11/17/2013:

As indicated by my updated answer in stackoverflow question later, I found the truth behind the problem:

This is caused by the fact that the default MVC routing only handles * instead of * . *, i.e. IIS or IIS Express’s applicationhost.config has the following:

<add name="ExtensionlessUrl-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0"/>

So to workaround it, we can add the following to the web.config:

    <system.webServer>

             <handlers>     

              <add name=UrlRoutingHandler   

         type=System.Web.Routing.UrlRoutingHandler,

                         System.Web, Version=4.0.0.0,

                         Culture=neutral,

                         PublicKeyToken=b03f5f7f11d50a3a

                  path=/bundles/*verb=GET/>     

            </handlers>

          </system.webServer>

For more information, you can reference the following:

http://weblogs.asp.net/owscott/archive/2013/01/16/handing-mvc-paths-with-dots-in-the-path.aspx

ASP.NET MVC Url Route supporting (dot)

0 comments

Discussion is closed.

Feedback usabilla icon