I'm having some issues with setting up rules in URL Rewrite 2.0 using IIS 7. I'm working on a website that is a combination of more modern .NET 4.0 stuff all the way back to classic .ASP stuff. My current task is to try and strip some specific characters out of user input to help prevent against XSS attacks.
I get the basic syntax:
<rule name="Rule Name" stopProcessing="true">
<match url="myPage.asp" />
<conditions>
<add input="" pattern="" />
</conditions>
<action type="" />
</rule>
I know I need three steps,
1) Ensure that what we're looking at is a post
2) Identify any of a number of bad characters using regex
3) Continue the post with those characters stripped out.
The first I believe can be addressed by this:
<add input="{REQUEST_METHOD}" matchType="Pattern" pattern="POST" ignoreCase="true" />
What is frustrating me is the second and third issue.
The second is also an input, but I'm stuck trying to find the best {} variable to put in the input. Right now I have this:
<add input="{REQUEST_URI}" pattern="[\\\|<>]" />
but I know that {REQUEST_URI} is not the right variable to go there. I've been on the URL rewrite site (http://www.iis.net/download/urlrewrite), and I've found the IIS 6.0 list of server variables (http://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx), but I can't seem to find a good list of the variables available to me in 7.0 and above and what they mean. Is this something anyone has bookmarked somewhere and can pass along?
The third is also giving me issues. Right now, on some other rules, I have <action type="AbortRequest" /> set, but for this, I'm not looking to stop the request, I'm looking to just remove the bad characters and continue the POST. The custom rule setup in IIS looks promising, but it just seems to want to redirect to a URL, not do anything else. Is this something that's even possible?
I should also note that I'm looking into an IIS Managed Module as an alternative to get what I'm looking for. Does that sound like a better avenue to anyone?
So, turns out that you can't do it and that I was misinterpreting the scope of the URL rewrite application. I should be looking at an IIS Managed Module, and will pivot to that in the future.
Related
We have our Sharepoint 2019 site set up, and everything is running fine. However, when a user clicks the Brand Bar "Sharepoint" in the top left header, it brings them to a broken page. Researched this, and it seems like this link cannot be changed in 2019, as others are having this issue.
https://social.technet.microsoft.com/Forums/en-US/1ef910ec-fb70-443e-bcf4-2d277dc11d2a/sharepoint-2019-on-premise-management-shell-not-working-as-expected?forum=SP2019
What we wanted to do is a redirect, so whenever they went to the broken link, it would just direct them to the real homepage for our sharepoint.
Example -
Broken link is http://servername/my/_layouts/15/sharepoint.aspx
Correct link is https://sharepoint.companyname.com/SitePages/Home.aspx
Here is what I came up with to add to the web.config file, but doesnt seem to be working.
<configuration>
<system.webServer>
<httpRedirect enabled="true" exactDestination="true" httpResponseStatus="Found">
<add wildcard="*_layouts/15/sharepoint.aspx" destination="https://sharepoint.companyname.com/SitePages/Home.aspx" />
</httpRedirect>
</system.webServer>
</configuration>
Any idea on what needs to be done here? Is this even possible? I didn't set up the sharepoint site here so I'm not sure how http://servername/my/_layouts/15/sharepoint.aspx even became the brand bar link.
Thank you!
If you want to redirect from servername/my/_layouts/15/sharepoint.aspx to sharepoint.companyname.com/SitePages/Home.aspx by iis url rewrite, you can try this rule.
<rule name="test6" stopProcessing="true">
<match url="^my/_layouts/15/sharepoint$" />
<action type="Redirect" url="http://sharepoint.companyname.com/SitePages/Home.aspx" />
</rule>
This has been resolved.
Not sure what happened, only thing I did was place the rule on the top most part of the tree in IIS where the server name is. Before I was putting the rule on the actual site in the drop down. I guess this makes sense since the URL I wanted to redirect had the server name in it.
We're using URL ReWrite 64bit version from Microsoft on Windows 2012 R2, ColdFusion 11 Enterprise, IIS 8.5, and SQL 2008.
Forgive me for being redundant and obvious. Writing in detail is the only way I know how to get my point over. I hope it's not too much.
I've searched the site but cannot find an answer that hints at what I'm doing wrong.
So, this is my first question:
URL ReWrite is installed and seems to operate okay with some rules, but I cannot get it to do what I want with the Friendly-URL rewrite. That is the problem. I'm hoping someone will use the same basic parameters I used to see if they get the same problem on Windows or Windows Server.
Our public Announcements section on our website was written to use the ID (PK) from an SQL database table to point the URL of the an
announcement (from a list inside an sql table), with lots of categories such as jobs, events, garage-sale, etc, etc. I know, you all know
this is pretty standard for amateurs. So, as you well know, this URL method is not only clumsy, can be a security risk, but does not
easily allow for me to format the URL as I want.
The selection of announcements starts at the 'select' page:
www.domain.com/event/select.cfm
So, currently when clicking on one of the links on the select.cfm page (the list generated from a cfquery output)
I get this URL and am taken to the view page to display the actual individual announcement:
http://www.domain.com/event/view.cfm?id=23
select.cfm and view.cfm are both in the same directory inside /event/.
The anchor for the link: href="/event/view.cfm?id=#ViewInfo.ID#" (without the brackets of course).
Everything displays and works fine except for the URL I don't want.
Obviously, the folder /event/ is just off the web root, (the announcements directory) which is the only place this rule should operate.
That 'ID' I've been using in the sql table is announcement number 23 in the JOBS category. All categories and announcements are in just
the one table.
For a more friendly URL, I'd prefer to use the 'category' of each announcement and the current 'date' the announcement was saved, which
seems a pretty normal, right?
Except I'm nearly brand new at programming and really hesitated coming here.
Anyway, before attempting to use URL ReWrite, I first tried to do this:
www.domain.com/event/jobs/23/2015-12-2/view.cfm or some variation. Nothing worked the way I wanted.
It was a mess.
I quickly learned the forward slash required an actual directory on the hard drive between each slash and I could find no way around it. I
added another notch to my html synapse. I didn't want to create tons of folders and sub-folders for no good reason. So, I thought by using
the URL ReWrite I could do something like this:
www.domain.com/event/jobs-2015-12-2_3.html or some crazy variation. A couple days later my brain was hurting far too much.
I had figured this way I'd rid myself of the id= and .cfm file, and add a category which makes more sense and is easier for reference. I
may actually use part of a uniqueidentifier instead of the PK ID but that's not important for this problem.
So I stumbled onto URL REWRITE and installed it.
I opened IIS 8.5 Manager, went to the website I was using, and to the /event/ folder and clicked on URL REWRITE. I then selected Add Rule
and User-Friendly URL. I then entered the URL to one of the announcements:
"/event/view.cfm?id=" at the top of the tab, as the "internal URL".
I also tried hard coding the full URL just for a test: "/event/view.cfm?id="23" They did not work.
For each test, I entered the second example suggestion on the second line: /id/184/ just to see if it would work.
But it did not. I checked the 'web.config' file (which I will include here) in the /event/ directory and the code rules had been written
correctly. But there was there was no change to the URL as I expected when I click on the link to view.cfm. It still showed this:
www.domain.com/event/view.cfm?id=23
I tried every combination in URL ReWite I could think of but I cannot get the link to the URL to change at all, to anything, no matter
what I do. I don't get it.
I know that my installed URL ReWrite is working because of another rule I use to forward all discovered .htm files to the .cfm equivalent
when they are found.
I even did a "repair" to the installed URL ReWrite and rebooted but that did not help. Then I uninstalled URL ReWrite and installed again,
rebooted. Still no change. It works, but not with the Friendly-URL rewrite. I'm obviously doing something wrong but am at at a total loss
and might need to hire a real programmers. And that could be the end of my new job.
So, hope someone can steer me in the right direction. If so, I promise to learn and help others as I can.
Here's my web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="RedirectUserFriendlyURL1" stopProcessing="true">
<match url="^event/view\.cfm$" />
<conditions>
<add input="{REQUEST_METHOD}" pattern="^POST$" negate="true" />
<add input="{QUERY_STRING}" pattern="^([^=&]+)= ([^=&]+)$" />
</conditions>
<action type="Redirect" url="event/view/{C:1}/{C:2}" appendQueryString="false" />
</rule>
<rule name="RewriteUserFriendlyURL1" stopProcessing="true">
<match url="^event/view/([^/]+)/([^/]+)/?$" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="event/view.cfm?{R:1}={R:2}" />
</rule>
</rules>
<outboundRules>
<rule name="OutboundRewriteUserFriendlyURL1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^(.*/)event/view\.cfm\?id=([^=&]+)$" />
<action type="Rewrite" value="{R:1}event/view/id/{R:2}/" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
I'm looking to use the URLRewriting.config within Umbraco to set up some redirects. The majority of them are working fine, but a few are causing headaches.
I have a page: /testpage.aspx which on the new site is now under /directory/testpage.aspx. I've tried a couple of rules, but they either fall into a loop, or just send me to the first page - which obviously gives a 404 error.
As far as I can tell, the rule below should satisfy this rewrite and work, but instead I'm just getting the original page - which is a 404 on this site.
<add name="Redirect400" rewriteUrlParameter="ExcludeFromClientQueryString" redirect="Domain" ignoreCase="true"
virtualUrl="^~/testpage.aspx$"
destinationUrl="/directory/testpage.aspx"
redirectMode="Permanent" />
Those regular expressions (please correct me if I'm wrong), should be saying that any page that starts and ends with /testpage.aspx is redirected to the new URL? Can anyone offer any assistance on this?
there is bit change in your virtual URL because that only gets which has www.domain.com/testpage.aspx
It will not get following results:
www.domain.com/abc/testpage.aspx
www.domain.com/abc/main/testpage.aspx
www.domain.com/abc/main/test/testpage.aspx
Please try following, I haven't tested it but I am guessing it is that.
<add name="Redirect400" rewriteUrlParameter="ExcludeFromClientQueryString" redirect="Domain" ignoreCase="true"
virtualUrl="^~(.*)/testpage.aspx$"
destinationUrl="/directory/testpage.aspx"
redirectMode="Permanent" />
let me know if you need more help
thanks
I've been going through stack overflow but cannot find an answer to this. I can get the 500 page to show up ok like this:
<customErrors mode="On">
<error statusCode="500"
redirect="~/500.html"/>
</customErrors>
What I would like to do is to present a localized version of the page based on the app language. Problem is that I would not like to go through the Error Controller-View solution that I found in lots of other posts, in case there is an actual error in the App (missing DLLs etc.). So I have to serve a pure html page, but I need to be able to choose the localized one, or instruct IIS on how to find it.
Any idea?
This is just off the top of my head, couldn't you use URL rewrite/redirect rules that use the Accept-Language that the browser defines to redirect to ~/500.en-us.html and ~/500.de.html or however you may have the pathing setup?
Example Rule in web.config:
<rule name="HTTP-Language-Error-Redirect" stopProcessing="true">
<match url="^500.html$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{HTTP_ACCEPT_LANGUAGE}" pattern="^([a-z]{1,8}(-[a-z]{1,8})?)\s*(;\s*q\s*=\s*(1|0\.[0-9]+))?$" />
</conditions>
<action type="Redirect" url="500.{C:1}.html" redirectType="Found" />
</rule>
My thinking is that the redwrite/redirect rule would work as it's part of IIS's processes handling the request and not the app code. So it could still work, theoretically, if the WebApp is broken for some reason. I could be totally wrong in my assumption though, and I thought I'd give it an honest shot.
This sounds like it should be simple but I can't seem to get it working.
I need to add a route that matches a given file name and extension, regardless of the subdirectory (and including the root of the website)
Possible requests could be in the form
/myfile.xml
/somedirectory/myfile.xml
/any/number/of/directories/myfile.xml
I need to match them all and route to the same controller action.
I have tried using wilcards in the route url e.g.
routes.MapRoute(
"MyFileRoute",
"{*path}/myfile.xml",
new { controller = "MyFileController", action = "GetMyFile" }
);
but I get the following error
A catch-all parameter can only appear as the last segment of the route URL.
Parameter name: routeUrl
I have no control over the request itself since it comes from a 3rd party flash plugin and seems to look for the file where it thinks the html file is, since I am using MVC this is not a physical location.
Do you really have to use routing? How about a good old HttpHandler?
<configuration>
<system.web>
<httpHandlers>
<add verb="GET"
path="*/myfile.xml"
type="MyFileHandler"/>
</httpHandlers>
<system.web>
</configuration>
OK so I guess when all you have is a hammer...
After spending way too much time trying to get routing or a handler to work, I ended up looking at this in a different way and using the IIS7 Url Rewrite to rewrite requests for myfile.xml in any path to the actual physical location of the real file.
I could just as easily have routed it to the controller action but the only reason that existed in the first place was to serve the file in this case so was no longer required.
I added this rule to the config file which seems to work well.
<rewrite>
<rules>
<clear />
<rule name="Redirect myfile" patternSyntax="Wildcard" stopProcessing="true">
<match url="*/myfile.xml" />
<action type="Rewrite" url="/actual/path/myfile.xml" />
</rule>
</rules>
</rewrite>
Catch all parameter anywhere in the URL
I've written such route that supports this kind of catch-all parameters. Actually there can be even many of them as long as other segments are defineable, so we can still distinguish which part goes into which segment.
Code and detailed description can be found on my blog.