Microsoft KB Archive/887459

= How to programmatically test for canonicalization issues with ASP.NET =

Article ID: 887459

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.0
 * Microsoft ASP.NET 1.1
 * Microsoft .NET Framework 1.0
 * Microsoft .NET Framework 1.0 Service Pack 1
 * Microsoft .NET Framework 1.0 Service Pack 2
 * Microsoft .NET Framework 1.0 Service Pack 3
 * Microsoft .NET Framework 1.1
 * Microsoft .NET Framework 1.1 Service Pack 1

-



INTRODUCTION
This article describes how to add safeguards to an ASP.NET application to help protect against common canonicalization issues.



What is canonicalization?
Canonicalization is the process that determines how various equivalent forms of a name are resolved to a single standard name. The single standard name is also known as the canonical name. For example, on a specific computer, the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process that maps such names to a name that is similar to c:\dir\test.dat.

When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. For more information about canonicalization, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa302420.aspx

We recommend that you use best practices to help safeguard your applications. For additional information, see the following section.

Adding additional canonicalization safeguards to your Web application
Microsoft ASP.NET developers can add more checks to help reduce canonicalization issues for a Web application by adding an Application_BeginRequest event handler in their Global.asax file that is stored in the root directory of the Web application. This event handler executes for each Web request. You can add code to this event handler to help safeguard against canonicalization issues.

Code sample
The following code samples demonstrate how to add an Application_BeginRequest event handler to a Global.asax file. This event handler helps prevent invalid characters and malformed URLs by performing path verifications. Therefore, you can avoid common canonicalization issues.

Global.asax code sample (Visual Basic .NET)
 Sub Application_BeginRequest(Sender as Object, E as EventArgs) If (Request.Path.IndexOf(chr(92)) >= 0 OR _       System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then Throw New HttpException(404, &quot;Not Found&quot;) End If End Sub

Global.asax code sample (C#)
 void Application_BeginRequest(object source, EventArgs e) { if (Request.Path.IndexOf('\\') >= 0 ||       System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) { throw new HttpException(404, &quot;not found&quot;); } }



Disclaimer
The information that is provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages. Therefore, the foregoing limitation may not apply.

Keywords: kbtshoot kbsecurity KB887459

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.