IIS6 - allow "<" and ">" sign in URL's

TheMSsForum.com: The Microsoft Software Forum

Hi,

does anybody know how I can tell IIS6 to accept URL's with a "<" or ">" sign
in
a URL ? With IIS6 default settings they are rejected with "400 Bad request -
URL"

Same URL on IIS5 works without any problem.

AllowRestrictedChars=1 didn't change the IIS6 behaviour.

Thanks,
Jochen
Top

Re: IIS6 - allow "<" and ">" sign in URL's by David

David
Fri Sep 03 01:48:46 CDT 2004

The question is not about "IIS6 disallowing <> characters in URLs".

For security reasons, URL are checked more thoroughly on IIS6 for
conformance to public HTTP-related RFCs. Applications that depend on the
"borderline" characters (that are neither explicitly allowed nor explicitly
denied by RFCs) should expect "borderline" behavior since it's not protected
by a specification. Just because IIS5 allows a certain URL doesn't mean
IIS6 should -- lots of changes have happened in IIS6/Windows Server 2003 due
to security implications.

If you want "<" or ">" to pass-thru unchallenged, then you should pass it in
the querystring, which is defined as opaque application data and thus can be
any octet. Or maybe even header values, which are also application data.
URL and "PathInfo" (courtesy of CGIs) is a part of the URL namespace that
web server must parse to determine action, and thus it is open for security
inspection.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jochen Kiefer" <jochen.kiefer@nospam.hp.com> wrote in message
news:uzEaZhXkEHA.3392@TK2MSFTNGP15.phx.gbl...
Hi,

does anybody know how I can tell IIS6 to accept URL's with a "<" or ">" sign
in
a URL ? With IIS6 default settings they are rejected with "400 Bad request -
URL"

Same URL on IIS5 works without any problem.

AllowRestrictedChars=1 didn't change the IIS6 behaviour.

Thanks,
Jochen



Top

Re: IIS6 - allow "<" and ">" sign in URL's by Jochen

Jochen
Fri Sep 03 02:56:24 CDT 2004

Hello David,

thank you for your response.

The problem is that this application is not self developed, it comes like
this out of the box.
Since we need a fast solution I am searching for a way to temporary disable
this security setting in IIS6.

It's very clear that as a long term solution the application needs to be
changed.
I was just wondering if there is maybe a (undocumented) registry setting for
http.sys that would
allow requests that contain these characters.

Thank you,
Jochen

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%235Y2XOYkEHA.3476@tk2msftngp13.phx.gbl...
> The question is not about "IIS6 disallowing <> characters in URLs".
>
> For security reasons, URL are checked more thoroughly on IIS6 for
> conformance to public HTTP-related RFCs. Applications that depend on the
> "borderline" characters (that are neither explicitly allowed nor
explicitly
> denied by RFCs) should expect "borderline" behavior since it's not
protected
> by a specification. Just because IIS5 allows a certain URL doesn't mean
> IIS6 should -- lots of changes have happened in IIS6/Windows Server 2003
due
> to security implications.
>
> If you want "<" or ">" to pass-thru unchallenged, then you should pass it
in
> the querystring, which is defined as opaque application data and thus can
be
> any octet. Or maybe even header values, which are also application data.
> URL and "PathInfo" (courtesy of CGIs) is a part of the URL namespace that
> web server must parse to determine action, and thus it is open for
security
> inspection.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Jochen Kiefer" <jochen.kiefer@nospam.hp.com> wrote in message
> news:uzEaZhXkEHA.3392@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> does anybody know how I can tell IIS6 to accept URL's with a "<" or ">"
sign
> in
> a URL ? With IIS6 default settings they are rejected with "400 Bad
request -
> URL"
>
> Same URL on IIS5 works without any problem.
>
> AllowRestrictedChars=1 didn't change the IIS6 behaviour.
>
> Thanks,
> Jochen
>
>
>


Top

Re: IIS6 - allow "<" and ">" sign in URL's by David

David
Sun Sep 05 19:00:41 CDT 2004

Sorry, I'm not aware of any HTTP.SYS configuration to allow <> in the URL.

I can file a compatibility bug asking for such an option.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jochen Kiefer" <jochen.kiefer@nospam.hp.com> wrote in message
news:O0zCEuYkEHA.524@TK2MSFTNGP15.phx.gbl...
Hello David,

thank you for your response.

The problem is that this application is not self developed, it comes like
this out of the box.
Since we need a fast solution I am searching for a way to temporary disable
this security setting in IIS6.

It's very clear that as a long term solution the application needs to be
changed.
I was just wondering if there is maybe a (undocumented) registry setting for
http.sys that would
allow requests that contain these characters.

Thank you,
Jochen

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%235Y2XOYkEHA.3476@tk2msftngp13.phx.gbl...
> The question is not about "IIS6 disallowing <> characters in URLs".
>
> For security reasons, URL are checked more thoroughly on IIS6 for
> conformance to public HTTP-related RFCs. Applications that depend on the
> "borderline" characters (that are neither explicitly allowed nor
explicitly
> denied by RFCs) should expect "borderline" behavior since it's not
protected
> by a specification. Just because IIS5 allows a certain URL doesn't mean
> IIS6 should -- lots of changes have happened in IIS6/Windows Server 2003
due
> to security implications.
>
> If you want "<" or ">" to pass-thru unchallenged, then you should pass it
in
> the querystring, which is defined as opaque application data and thus can
be
> any octet. Or maybe even header values, which are also application data.
> URL and "PathInfo" (courtesy of CGIs) is a part of the URL namespace that
> web server must parse to determine action, and thus it is open for
security
> inspection.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Jochen Kiefer" <jochen.kiefer@nospam.hp.com> wrote in message
> news:uzEaZhXkEHA.3392@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> does anybody know how I can tell IIS6 to accept URL's with a "<" or ">"
sign
> in
> a URL ? With IIS6 default settings they are rejected with "400 Bad
request -
> URL"
>
> Same URL on IIS5 works without any problem.
>
> AllowRestrictedChars=1 didn't change the IIS6 behaviour.
>
> Thanks,
> Jochen
>
>
>



Top