Trailing dots in url result in empty 404 page on IIS
- by Peter Hahndorf
I have an ASP.NET site on IIS8, but IIS7.5 behaves exactly the same. When I enter a URL like:
mysite.com/foo/bar..
I get the following error with a '500 Internal Server Error' status code:
even though I have custom error pages set up for 500 and 404 and I don't see anything wrong with my custom error page.
In my web.config system.web node I have the following:
<customErrors mode="On">
<error statusCode="404" redirect="/404.aspx" />
</customErrors>
If I remove that section, I get a 404.0 response back but the page itself is blank.
In web.config system.webServer I have:
<httpErrors errorMode="DetailedLocalOnly">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="404.html" responseMode="File" />
</httpErrors>
But whether that is there or not, I get the same blank 404.0 page rather than my expected custom error page, or at least an internal IIS message.
So first of all why is the asp.net handler picking up a request for '..' (also works with one or more trailing dots)
If I remove the following handler from applicacationHost.config:
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />
I get my expected custom 404 page, but of course removing that handler breaks routing in asp.net among other things.
Looking at the failure trace I see:
Windows Authentication is disabled for the site, so why is that module even in the request pipeline?
For now my fix is to use the URL Rewrite module with the following rule:
<rewrite>
<rules>
<rule name="Trailing Dots" stopProcessing="true">
<match url="\.+$" />
<action type="Rewrite" url="/404.html" appendQueryString="false" />
</rule>
</rules>
</rewrite>
This works okay, but I wonder why IIS/ASP.NET behaves this way?