Description
I have a website that utilizes physical directory browsing. Here's my code:
public void Configuration(IAppBuilder app)
{
AreaRegistration.RegisterAllAreas();
HttpConfiguration config = GlobalConfiguration.Configuration;
//config.MessageHandlers.Add(new CustomHeaderHandler()); // Added this for no caching
//System.Web.Http.GlobalConfiguration.Configure(Startup.Register);
config.MessageHandlers.Add(new CancelledTaskBugWorkaroundMessageHandler());
config.EnsureInitialized();
//app.UseWebApi(config);
AutofacConfig.RegisterAutoFac(config);
RegisterRoutes(RouteTable.Routes);
GlobalFilters.Filters.Add(new HandleErrorAttribute());
app.UseStaticFiles();
ConfigureStaticFiles(app);
}
private void ConfigureStaticFiles(IAppBuilder app)
{
//app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
//app.Use(typeof(ToolDirectory.Web.Middleware));
app.UseStageMarker(PipelineStage.MapHandler);
var wwwroot = BuildFileServerOptions(string.Empty, "wwwroot");
app.UseFileServer(wwwroot);
// http://stackoverflow.com/questions/37035175/net-owin-self-host-with-with-no-caching
var downloads = BuildFileServerOptions("/Downloads", Properties.Settings.Default.DownloadDirectory);
downloads.StaticFileOptions.ServeUnknownFileTypes = true;
downloads.EnableDirectoryBrowsing = true;
app.UseFileServer(downloads);
var attachments = BuildFileServerOptions("/Attachments", Properties.Settings.Default.AttachmentDirectory);
attachments.StaticFileOptions.ServeUnknownFileTypes = true;
attachments.EnableDirectoryBrowsing = true;
app.UseFileServer(attachments);
}
private static FileServerOptions BuildFileServerOptions(string requestPath, string physicalPath)
{
var options = new FileServerOptions
{
RequestPath = new PathString(requestPath),
FileSystem = new PhysicalFileSystem(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, physicalPath)),
EnableDefaultFiles = true
};
return options;
}
Everything's been working fine, until a user created a folder with an ampersand. The URL in the OWIN-generated directory-browsing page doesn't properly escape the ampersand (although it DOES appear to escape spaces, which is interesting). When a user clicks on the link, it results in an error.
Here's what the URL on the OWIN-generated directory-browsing page might look like:
http://localhost:1234/downloads/Phast/Phast%20&%20Safeti%208.11/
Notice the ampersand is NOT escaped.
The error in IIS is:
System.Web.HttpException:
A potentially dangerous Request.Path value was detected from the client (&).
My project targets .Net Framework 4.6.1
I'm using Microsoft.Owin Nuget packages with version 4.0.1
I suspect the fix for this will be to use System.Web.HttpUtility.UrlEncode for URLs, rather than ONLY escaping spaces.