Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Tweak request filtering to allow specific file extensions for ~/packages

and ~/api/vX/package paths
Work Item: #519
  • Loading branch information...
commit 1472dc57c5e2a3658f567e96f6db253706ec4bfa 1 parent dc23f42
@pranavkm pranavkm authored
View
10 Website/Web.ForbiddenHandlers.config
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<configuration>
+ <system.web>
+ <httpHandlers>
+ <add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" />
+ <add path="*.rules" verb="*" type="System.Web.HttpForbiddenHandler" />
+ <add path="*.resources" verb="*" type="System.Web.HttpForbiddenHandler" />
+ </httpHandlers>
+ </system.web>
+</configuration>
View
49 Website/Web.config
@@ -57,6 +57,55 @@
</handlers>
</system.webServer>
</location>
+ <!-- Allow some very specific set of name to be used with the ~/package and ~/api/vX/package/ routes -->
+ <location path="packages">
+ <system.web>
+ <httpHandlers configSource="ForbiddenHandlers.config" />
+ </system.web>
+ <system.webServer>
+ <security>
+ <requestFiltering>
+ <fileExtensions allowUnlisted="true">
+ <remove fileExtension=".config" />
+ <remove fileExtension=".rules" />
+ <remove fileExtension=".resources" />
+ </fileExtensions>
+ </requestFiltering>
+ </security>
+ </system.webServer>
+ </location>
+ <location path="api/v1/package">
+ <system.web>
+ <httpHandlers configSource="ForbiddenHandlers.config" />
+ </system.web>
+ <system.webServer>
+ <security>
+ <requestFiltering>
+ <fileExtensions allowUnlisted="true">
+ <remove fileExtension=".config" />
+ <remove fileExtension=".rules" />
+ <remove fileExtension=".resources" />
+ </fileExtensions>
+ </requestFiltering>
+ </security>
+ </system.webServer>
+ </location>
+ <location path="api/v2/package">
+ <system.web>
+ <httpHandlers configSource="ForbiddenHandlers.config" />
+ </system.web>
+ <system.webServer>
+ <security>
+ <requestFiltering>
+ <fileExtensions allowUnlisted="true">
+ <remove fileExtension=".config" />
+ <remove fileExtension=".rules" />
+ <remove fileExtension=".resources" />
+ </fileExtensions>
+ </requestFiltering>
+ </security>
+ </system.webServer>
+ </location>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
View
1  Website/Website.csproj
@@ -890,6 +890,7 @@
</None>
<None Include="T4MVC.tt.settings.t4" />
<Content Include="Views\Packages\_PackageDependencies.cshtml" />
+ <Content Include="Web.ForbiddenHandlers.config" />
</ItemGroup>
<ItemGroup>
<Folder Include="DynamicData\CustomPages\" />
Please sign in to comment.
Something went wrong with that request. Please try again.