asp.net mvc - Why can't I allow '*' characters in webapi routes safely? (or, if it can, how?) -

-

i'm wanting use webapi 2 inside mvc5 project (angularjs, not should make difference) create following types of routes

        api/animals/cats => return cats         api/animals/dogs => return dogs                     api/animals/* => return animals (e.g. cats+dogs)

background: did started following;

  1. from visual studio 2013, new empty mvc application
  2. in controller folder, right click add new controller, select webapi 2 controller

(apologies if looks information, here in case different project types result in different illegal character checking. )

i want able have users pass in '*' character indicate wildcard, indicating all animals. allow this, using webapi, registered following test route;

        config.routes.maphttproute(             name: routenames.animals,             routetemplate: "api/animals/{animal}",             defaults: new { id = routeparameter.optional, controller = "animalsapi" }         );

when test this, using postman, receive 400 bad request response, following error message;

a potentially dangerous request.path value detected client (*).

i've read few related blog posts suggesting character evil because of various reasons, referencing w3.org, however, rfc1738 spec (uniform resource locators 'url') (page3) seems allow use of '*' unescaped. extract below;

...thus, alphanumerics, special characters "$-_.+!*'(),", , reserved characters used reserved purposes may used unencoded within url...

maybe i've misread this? '*' chars appear have w3's blessing, gleefully crash nice clean webapi restful(?) webservice.

i don't syntax of having use queryparams work around problem. following quick (and imho, dirty) fix -> get api/animals/?animal=* defeats whole purpose of having clean route syntax. question is, why '' evil? i.e. if allow it, via requestpathinvalidcharacters in web.config, (only '' char, none of other 'known evil' chars, risking? ) pandora's box of hacking woes exposed to?

update ( after accepted correct answer question defined above, prior last comment below before go bed! amazingly quick , accurate responses.)

a more interesting discussion might have been had, if had proposed following example routes; (wink)

api/animals/{type}/{location}/{sex} ... api/animals/*/london/male  => return male animals in london api/animals/cats/*/female => return female cats across locations

thanks all! cheers, a

my question is, why '*' evil? i.e. if allow it, via requestpathinvalidcharacters in web.config

they may have special meaning:

the asterisk ("*", ascii 2a hex) , exclamation mark ("!" , ascii 21 hex) reserved use having special signifiance within specific schemes.

i agree claudio's comment, better option "anything" omit term together.


Comments

Post a Comment

Popular posts from this blog

python - TypeError: start must be a integer -

-
i trying draw 5 turtles, getting typeerror on line 25. here code: import turtle wn = turtle.screen() redrose = turtle.turtle() color = input("what background color be?") fillcolor_f = input("what color of rose be?") redrose.hideturtle() redrose.speed(30) redrose.penup() redrose.left(180) redrose.forward(175) redrose.right(90) redrose.forward(30) redrose.right(90) redrose.pendown() def drawrose(red): redrose.color("pink") redrose.fillcolor(fillcolor_f) redrose.fill(true) in range(red): redrose.forward(i) redrose.right(49) in range(5): drawrose(redrose) redrose.penup() redrose.forward(350) redrose.right(144) redrose.pendown() redrose.fill(false) drawrose(50) wn.bgcolor(color) i trying draw 5 roses, produces errors. doing in interactivepython.org. you recursively calling drawrose wrong parameter. on line 23 ( for in range(red): ) expect red integer...
Read more

c# - DevExpress RepositoryItemComboBox BackColor property ignored -

-
i have following code almost works properly; private void cbstatus_drawitem(object sender, listboxdrawitemeventargs e) { string item = e.item string; if (item != null) { switch (item) { case "1": e.appearance.forecolor = color.green; e.appearance.backcolor = color.green; break; case "2": e.appearance.forecolor = color.orange; e.appearance.backcolor = color.orange; break; case "3": e.appearance.forecolor = color.red; e.appearance.backcolor = color.red; break; } } } when dropdown shown, items forecolor correct, backcolor remains whatever backcolor of theme is; i.e. if i've got set dark theme, backcolor dark, cells in gridview, rather being green/orange/red. i've tried setting e.appearance.options.usebackcolor trying set e....
Read more

django - Creating multiple model instances in DRF3 -

-
1) create multiple model instances 1 api call, asked here: how create multiple model instances django rest framework? tried solution named in link, no success. i trying upload multiple files in 1 api call. result: files uploaded (only once overwrote perform_create) 1 instance created (if send 2 files, latter created instance). my code: class fileuploadserializer(serializers.modelserializer): def __init__(self, *args, **kwargs): many = kwargs.pop('many', true) super(fileuploadserializer, self).__init__(many=many, *args, **kwargs) class meta: model = fileupload read_only_fields = ('created', 'datafile', 'owner') class fileuploadviewset(viewsets.modelviewset): queryset = fileupload.objects.all() serializer_class = fileuploadserializer parser_classes = (multipartparser, formparser, ) def perform_create(self, serializer): file_list = self.request.data.getlist('file') ...
Read more