Microsoft KB Archive/887289

= HTTP module to check for canonicalization issues with ASP.NET =

Article ID: 887289

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.0
 * Microsoft ASP.NET 1.1
 * Microsoft .NET Framework 1.0
 * Microsoft .NET Framework 1.0 Service Pack 1
 * Microsoft .NET Framework 1.0 Service Pack 2
 * Microsoft .NET Framework 1.0 Service Pack 3
 * Microsoft .NET Framework 1.1
 * Microsoft .NET Framework 1.1 Service Pack 1
 * Microsoft .NET Framework Software Development Kit 1.0 Service Pack 2
 * Microsoft .NET Framework Software Development Kit 1.0 Service Pack 1
 * Microsoft .NET Framework Software Development Kit 1.0 Service Pack 2

-





SUMMARY


To aid customers in protecting their ASP.NET applications, Microsoft has made available an HTTP module that implements canonicalization best practices. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

887459 Programmatically check for canonicalization issues with ASP.NET

For additional information about how to determine the version of ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:

318785 Determine whether service packs are installed on the .NET Framework



SYMPTOMS
When a Web server receives a URL, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. Unhandled canonicalization issues can lead to unexpected results. For more information about canonicalization, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa302420.aspx



Download information
The following file is available for download from the Microsoft Download Center:

Download the VPModule.msi package now.

Release Date: October 7, 2004

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
The VPModule.msi file is designed for the 32-bit Microsoft .NET Framework.

Before you install the VPModule.msi file, back up all the instances of the Machine.config file on your computer. To create a backup copy of the Machine.config file, follow these steps:  Click Start, click Run, type cmd, and then click OK. Locate every version of the Machine.config file. The Machine.config file or files are located in the following folder, where  is the version of the Microsoft .NET Framework that you have installed:

%windir%\Microsoft.NET\Framework\ \CONFIG

For example, if the .NET Framework 1.1 is installed on drive C, type the following command, and then press ENTER:

cd /d %windir%\microsoft.net\framework\v1.1.4322\config

 Type the following command to create a backup copy of the Machine.config file, and then press ENTER:

copy machine.config machine.config.bak



Repeat these steps for each instance of the .NET Framework that is installed on your system.

Installation information
Microsoft has released an installation package that is named VPModule.msi. The VPModule.msi file installs the Microsoft.Web.ValidatePathModule.dll file on your system. The installation updates the Machine.config file or files with a new HTTP module entry on all installed versions of .NET Framework.

To use the installation package, download the VPModule.msi file, double-click the package to begin installation, and then follow the installation instructions.

What the VPModule.msi does

The installer first extracts a file that is named Microsoft.Web.ValidatePathModule.dll. The installer then updates all the Machine.config files that exist on the system so that the files have an entry that looks like the following:     </system.web> The installer then adds the Microsoft.Web.ValidatePathModule.dll file to the Global Assembly Cache (GAC).

For developers who want to understand what the Microsoft.Web.ValidatePathModule.dll file does programmatically, the source code is available below: namespace Microsoft.Web { public class ValidatePathModule : IHttpModule { public ValidatePathModule { }        void IHttpModule.Init(HttpApplication app) { app.BeginRequest += new EventHandler(this.OnBeginRequest); }        void IHttpModule.Dispose { }        void OnBeginRequest(Object source, EventArgs eventArgs) { HttpRequest request = (source as HttpApplication).Request; string physicalPath = request.PhysicalPath; if (request.Path.IndexOf('\\') >= 0 || Path.GetFullPath(physicalPath) != physicalPath) { throw new HttpException(404, &quot;Not Found&quot;); }        }    } } For information about command-line switches that you can use to install the module, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa367988.aspx

Installation verification information
When the module is installed correctly, the following registry key exists:

Note This registry key does not exist on the system if you manually install the HTTP module as described in the &quot;Custom installation information&quot; section. The /a option only extracts files. It does not update the registry.

Removal information
To remove these changes, run the VPModule.msi file and select the Remove option. Alternatively, use Add/Remove Programs in Control Panel.

Unattended information
Use the following command to install these changes in unattended mode:

msiexec /i vpmodule.msi /qb-

Use the following command to remove these changes in unattended mode:

msiexec /x vpmodule.msi /qb-

Custom installation information
To manually install the HTTP module, follow these steps:  Back up your Machine.config file or files. For more information about how to do this, see the &quot;Prerequisites&quot; section.</li> Download the package. For more information about how to do this, see the &quot;Download information&quot; section.</li> Use the following command to extract the Microsoft.Web.ValidatePathModule.dll file from the VPModule.msi file to a location of your choice:

msiexec /a vpmodule.msi

</li> Use the following command to copy the module to the GAC:

gacutil -i microsoft.web.validatepathmodule.dll

Note The module is extracted to a folder that is named &quot;Microsoft ValidatePath Module&quot; and that is under the location that you specified.</li>  Edit the Machine.config file or files to add the following entry to the  section: <add name=&quot;ValidatePathModule&quot; type=&quot;Microsoft.Web.ValidatePathModule, Microsoft.Web.ValidatePathModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eba19824f86fdadd&quot;/> </li></ol>

Known issues
The following are known issues: <ul>  The installer makes sure that the Machine.config file or files are successfully updated with a <httpModule> entry for the Microsoft.Web.ValidatePathModule.dll file. However, under certain circumstances, this may not stop the described behavior from occurring.

This behavior could occur if a Web.config file exists, and the Web.config file clears the list that is defined at the Machine.config level. For example, an entry that resembles the following in a Web.config file may cause this behavior:  </httpModules> This configuration prevents the mitigation module from executing in this particular application. This configuration normally occurs when an application does not want to use the HTTP modules that are defined at the Machine.config level, but instead wants to clear the list and then define a new list that is specific to the current application. </li> If you install a different version of the .NET Framework, you must uninstall and then reinstall the VPModule.msi file.</li> For additional information about issues with SQL Server Reporting Services and VPModule.msi, click the following article number to view the article in the Microsoft Knowledge Base:

887787 You may receive error messages from Reporting Services after you install the ASP.NET ValidatePath Module

</li></ul>

<div class="references_section">