Skip to content
This repository
Browse code

Tweak request filtering to allow specific file extensions for ~/packages

and ~/api/vX/package paths
Work Item: #519
  • Loading branch information...
commit 1472dc57c5e2a3658f567e96f6db253706ec4bfa 1 parent dc23f42
Pranav K pranavkm authored
10 Website/Web.ForbiddenHandlers.config
... ... @@ -0,0 +1,10 @@
  1 +<?xml version="1.0"?>
  2 +<configuration>
  3 + <system.web>
  4 + <httpHandlers>
  5 + <add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" />
  6 + <add path="*.rules" verb="*" type="System.Web.HttpForbiddenHandler" />
  7 + <add path="*.resources" verb="*" type="System.Web.HttpForbiddenHandler" />
  8 + </httpHandlers>
  9 + </system.web>
  10 +</configuration>
49 Website/Web.config
@@ -57,6 +57,55 @@
57 57 </handlers>
58 58 </system.webServer>
59 59 </location>
  60 + <!-- Allow some very specific set of name to be used with the ~/package and ~/api/vX/package/ routes -->
  61 + <location path="packages">
  62 + <system.web>
  63 + <httpHandlers configSource="ForbiddenHandlers.config" />
  64 + </system.web>
  65 + <system.webServer>
  66 + <security>
  67 + <requestFiltering>
  68 + <fileExtensions allowUnlisted="true">
  69 + <remove fileExtension=".config" />
  70 + <remove fileExtension=".rules" />
  71 + <remove fileExtension=".resources" />
  72 + </fileExtensions>
  73 + </requestFiltering>
  74 + </security>
  75 + </system.webServer>
  76 + </location>
  77 + <location path="api/v1/package">
  78 + <system.web>
  79 + <httpHandlers configSource="ForbiddenHandlers.config" />
  80 + </system.web>
  81 + <system.webServer>
  82 + <security>
  83 + <requestFiltering>
  84 + <fileExtensions allowUnlisted="true">
  85 + <remove fileExtension=".config" />
  86 + <remove fileExtension=".rules" />
  87 + <remove fileExtension=".resources" />
  88 + </fileExtensions>
  89 + </requestFiltering>
  90 + </security>
  91 + </system.webServer>
  92 + </location>
  93 + <location path="api/v2/package">
  94 + <system.web>
  95 + <httpHandlers configSource="ForbiddenHandlers.config" />
  96 + </system.web>
  97 + <system.webServer>
  98 + <security>
  99 + <requestFiltering>
  100 + <fileExtensions allowUnlisted="true">
  101 + <remove fileExtension=".config" />
  102 + <remove fileExtension=".rules" />
  103 + <remove fileExtension=".resources" />
  104 + </fileExtensions>
  105 + </requestFiltering>
  106 + </security>
  107 + </system.webServer>
  108 + </location>
60 109 <system.web>
61 110 <compilation debug="true" targetFramework="4.0">
62 111 <assemblies>
1  Website/Website.csproj
@@ -890,6 +890,7 @@
890 890 </None>
891 891 <None Include="T4MVC.tt.settings.t4" />
892 892 <Content Include="Views\Packages\_PackageDependencies.cshtml" />
  893 + <Content Include="Web.ForbiddenHandlers.config" />
893 894 </ItemGroup>
894 895 <ItemGroup>
895 896 <Folder Include="DynamicData\CustomPages\" />

0 comments on commit 1472dc5

Please sign in to comment.
Something went wrong with that request. Please try again.