Any potential security risks with turning on relaxedUrlToFileSystemMapping to allow URLs having part ending with '.'?

Question

We are having an issue where our application fails when the URL has any part ending with '.' in it'; we can't avoid this due to functional requirements. The suggested solution is to turn on relaxedUrlToFileSystemMapping in web.config file. We would like to know if there are any potential security risks with this approach.

Format of failing URL: http://server.com/path1/krishnakk./path2

It returns a 404 error.

Answer 1

Even though this question is seven months old, here's an answer in case anyone else comes across a situation like this.

Regarding the security part of the question, by default relaxedUrlToFileSystemMapping is set to false, and ASP .NET assumes that the path portion of a URL is a valid NTFS file path. If you disable this by setting relaxedUrlToFileSystemMapping to true, then you are potentially opening your site up to attack because you're disabling the default protection provided by ASP .NET.

If you absolutely need to set relaxedUrlToFileSystemMapping to true you should also be sure that you validate all URLs within the constraints of your application's requirements.

Answer 2

A little late to the party but I thought I'd add what worked for me.

I just ran into this today, but fortunately was able to work around it. The solution was to pass the value that contained the dot (period) as part of the querystring, not the URL. You lose the elegance of having a clean URI without querystring, but it works without lowering security or changing any settings.

E.g. http://localhost/Home/hi.how:areyou will fail because it contains two illegal chars as part of the URI, the dot and the colon. However http://localhost/Home/id=hi.how:areyou will work perfectly.

Props to Scott Hanselman that, as always, will have blogged about pretty much all crazy scenarios and issues that one might run into while doing .NET development.