Putting the Con (COM1, LPT1, NUL, etc.) Back in your URLs

asp.net, asp.net mvc, code 0 comments suggest edit

One annoyance that some developers have run into with ASP.NET MVC is that certain reserved filenames are not allowed in URLs. Often, this is manifested as a Bad Request error or a File Not Found (404) error.

The specifics of this restriction are accounted for in an interesting blog post entitled Zombie Operating Systems and ASP.NET MVC. This actually wasn’t a restriction on ASP.NET MVC but was built into the core of ASP.NET itself.

Fortunately, ASP.NET 4 fixes this issue with a new setting. In web.config, simply add <httpRuntime relaxedUrlToFileSystemMapping="true"/> to the system.web node. Here’s a snippet from my web.config.

<configuration>
  <system.web>
    <httpRuntime relaxedUrlToFileSystemMapping="true"/>

    <!-- ... your other settings ... -->
  </system.web>
</configuration>

Here is a screenshot of it working on my machine.

con-in-my-url

Now you are free to use COM1-9, LPT1-9, AUX, PRT, NUL, CON in your URLs. I know you were dying to do so. :)

What about web.config?

So the question comes up from time to time, “what if I want to have web.config in my URL?” Why would you want that? Well if you are StackOverflow.com, this makes sense because of the tagging system which places a tag (such as the “web.config” tag, into the URL. I’m not sure why anyone else would want it. ;)

The answer is yes, it works.

web.config-in-my-url

Please note, that you still can’t request /web.config because that would try to request web.config in the root of your web application and ASP.NET won’t allow that for good reason!

In fact, any request for a *.config file that doesn’t match a route will fail.

While I think the vast majority of developers really won’t encounter this issue, it’s a really improvement included in ASP.NET 4 for those that do care.

Keep in mind that this isn’t restricted to just these special names. For example, a URL segment ending with a dot such as the following URL http://example.com/version/1.0./something will not work unless you set the this web.config value.

Found a typo or error? Suggest an edit! If accepted, your contribution is listed automatically here.

Comments

avatar

27 responses

  1. Avatar for Austin Grigg
    Austin Grigg April 28th, 2010

    Phil,
    I'm glad you are planning to blog more regularly again now that things have slowed down. Your posts are always very practical and helpful. Thanks.

  2. Avatar for Guest
    Guest April 29th, 2010

    Thanks a ton Phil! Most people would never be affected by this or notice it, but it came up when I had a 3 character state code in my .net mvc url of 'CON' representing 'Cornwall' in the UK. Now off to upgrade to .net 4...

  3. Avatar for ahjohannessen
    ahjohannessen April 30th, 2010

    Phil, your posts are always funny and witty :) Always enjoy what you post. Happy that MS has you on MVC, bright guy with an open ear :)

  4. Avatar for Justin
    Justin April 30th, 2010

    Good to know, although I have never run into this problem. I hope this recent burst of posts is a sign of things to come.

  5. Avatar for Eric
    Eric April 30th, 2010

    Does ASP.NET MVC allow for URLs like the following or will the trailing period trip it up?
    http://localhost/movies/view/E.T.

  6. Avatar for Chris McLeod
    Chris McLeod April 30th, 2010

    Fantastic news.
    Our (ASP.NET MVC-built) Intranet has to deal with listing projects by three-letter "client codes" - which so happen to include clients with the codes AUX, PRT, NUL and CON! Staff have been unable to view projects by these clients, so this change is very welcome!

  7. Avatar for Michael Stum
    Michael Stum April 30th, 2010

    Does that also allow Colons in the Url? Can't test it right now, but the inability of ASP.net to serve a URL like "http://Myserver/Special:Something" really sucks :)

  8. Avatar for Dan F
    Dan F April 30th, 2010

    @Michael (or anyone else who googles this up in the future) You probably already know this, but that's a http.sys restriction, rather than an asp.net restriction. You can do some registry hacking to turn it off - SO 667429 links through to KB 820129. It's not really an option if you're not in control of the server though, so hopefully the relaxedUrlToFileSystemMapping helps out here.

  9. Avatar for kad1r
    kad1r April 30th, 2010

    Hello Phil. I have a question for web.config section. Is it possible to reach web.config like that? Is there any way (security issue)?

  10. Avatar for Bradley Landis
    Bradley Landis April 30th, 2010

    So why is the book called Professional ASP.NET MVC 2.0 vs MVC 2?

  11. Avatar for haacked
    haacked April 30th, 2010

    @kad1r I addreessed that in my post.

    Please note, that you still can’t request /web.config because that would try to request web.config in the root of your web application and ASP.NET won’t allow that for good reason!
    You can't request a physical web.config file. Or any file with *.config extension.
    @Bradley the official product name is ASP.NET MVC 2 without the decimal. The book as it's listed on Amazon needs a few corrections.
  12. Avatar for Jeff Putz
    Jeff Putz May 5th, 2010

    I'd like to know about Eric's question, regarding the trailing period. I seem to encounter that entirely too frequently.

  13. Avatar for Vampal
    Vampal May 6th, 2010

    "/*.*/" is different with "/*.*"

  14. Avatar for Guy
    Guy May 11th, 2010

    Correct me if I'm wrong, but couldn't you read in the contents of the web.config file and list it as the result of requesting the web.config route?
    I don't suggest that you do that but you could "fake it" like that if you want people to think that you are directly listing the contents on the web.config.
    This could also be a honey trap for hackers. i.e. list a fake web.config with a DB connection string that just logs and reports attempted hacking.

  15. Avatar for Ted
    Ted November 23rd, 2010

    How can we allow this in .Net 2? Updating to 4.0 is not an option for us and we need to allow CON, NUL, AUX etc in our URLS?

  16. Avatar for Serhiy
    Serhiy September 5th, 2011

    And what about IIS 6 and ASP.NET 4.0? I still have this error at production (IIS6) but not at my machine (IIS7) :(

  17. Avatar for Rakesh
    Rakesh February 6th, 2012

    Hello Phil - I guess I may be replying to an old phantom post here, but just in case you read it at some point in time.
    Even with this setting in .Net 4.0 this does not work for me. It works in localhost (via VS2010) even without this setting <httpRuntime relaxedUrlToFileSystemMapping="true" /> , but when deployed on a Test server fails.

  18. Avatar for Rakesh
    Rakesh February 6th, 2012

    Phil - Never mind, I got it to work by mapping the aspnet_isapi.dll to wildcard applicaton maps under the application configuration for my website.
    I'm putting this here, in case someone comes here looking for another solution.

  19. Avatar for Paintball Barrel
    Paintball Barrel February 8th, 2012

    does anyone know if this will allow the url rewrite module to receive urls that end with a period "." ? Currently this is being blocked from any processing, so external urls that accidently added a "." to the end of the url are getting error pages, instead of allowing me to redirect them to the page they actually wanted (and get the benefit of having another functioning inbound link)

  20. Avatar for Nasser
    Nasser September 22nd, 2012

    Using relaxedUrlToFileSystemMapping = 'true' works like magic. I've had issues passing doubles (like 3.45) to a service via the url. It has always failed due to the fact that ASP.Net thinks that the .45 is a file extension. now that's fixed. this addition the web.config fixed it. Thanks for the hint man...
    Now I need to find out what security rules is this "relaxation" going to break/undermine.
    Regards
    Nasser

  21. Avatar for Mikael Syska
    Mikael Syska November 11th, 2012

    Hi,
    While this is working for IIS ... its not working for IIS Express 8 ... havent tried other versions. Just as long I know its working in production I happy.
    Were just about to make a crappy workaround for this problem when I though I just wanted to give it another try on google ... and my hero Phil showed up.
    Odd that I havent seem this post last time I searched for a solution.

  22. Avatar for Vince Bullinger
    Vince Bullinger March 11th, 2013
  23. Avatar for Jac
    Jac January 28th, 2014

    Phil,

    What if for some reason I am stuck with .net 3.5. And I can't use that "relaxedUrlToFileSystemMapping" attribute?

  24. Avatar for haacked
    haacked January 29th, 2014

    Then you're kind of out of luck. You'll have to avoid these keywords.

  25. Avatar for digiguru (Adam Hall)
    digiguru (Adam Hall) May 23rd, 2014

    Careful when doing this, it IS a security risk, and you are expected to check your applciation against attacks as a result:

    http://www.hanselman.com/bl...

    http://stackoverflow.com/qu...

  26. Avatar for Jake Gaston
    Jake Gaston February 19th, 2015

    What is the exact risk, though?

  27. Avatar for Jim Schubert
    Jim Schubert March 19th, 2015

    XXE injection would be one of my main concerns (regarding Hanselman's article). https://www.owasp.org/index...

    I think the only real concern with common files allowed in the URL would be if you're loading a file according to URL parameters and not properly ignoring relative paths. I think you'd need to have improper permissions on your app, and a slew of other things, though.