Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Important Notice!] Please update handlers section in web.config files #4017

Closed
volkanceylan opened this issue Oct 20, 2018 · 4 comments

Comments

@volkanceylan
Copy link
Owner

@volkanceylan volkanceylan commented Oct 20, 2018

While testing another site, we noticed that handlers in our web.config files also applies to sub folders. This might lead to some problems / security issues for your error log. Please put a slash in PATH attribute of these handlers. E.g. if you have these in your web.config:

  <handlers>
    <add name="ErrorLog" path="errorlog.axd" verb="POST,GET,HEAD" type="StackExchange.Exceptional.HandlerFactory, StackExchange.Exceptional" preCondition="integratedMode" />
    <add name="DynamicScriptHandler" verb="POST,GET,HEAD" path="DynJS.axd" type="Serenity.Web.HttpHandlers.DynamicScriptHandler, Serenity.Web" />
  </handlers>

Replace them with

  <handlers>
    <add name="ErrorLog" path="/errorlog.axd" verb="POST,GET,HEAD" type="StackExchange.Exceptional.HandlerFactory, StackExchange.Exceptional" preCondition="integratedMode" />
    <add name="DynamicScriptHandler" verb="POST,GET,HEAD" path="/DynJS.axd" type="Serenity.Web.HttpHandlers.DynamicScriptHandler, Serenity.Web" />
  </handlers>

So that they only apply to root folder.

If this configuration causes any problems for you, let us know.

@stixoffire

This comment has been minimized.

Copy link

@stixoffire stixoffire commented Oct 20, 2018

I had to change the order of the handlers and the modules in my web config on Visual Studio 2017.

Handlers FIRST, and then MODULES .. I don't know why that resolved the issue I was having.

Only occurred with Windows 10 Professional 64 and IIS 10.0.1734 - I will add the slash though..

@Zahar661

This comment has been minimized.

Copy link

@Zahar661 Zahar661 commented Oct 22, 2018

<add name="SkipStaticFileForUploadFolder" verb="GET" path="upload/*" type="System.Web.Handlers.TransferRequestHandler"/>
?
<add name="SkipStaticFileForUploadFolder" verb="GET" path="/upload/*" type="System.Web.Handlers.TransferRequestHandler"/>

@Estrusco

This comment has been minimized.

Copy link
Contributor

@Estrusco Estrusco commented Oct 22, 2018

OK thank you volkan

@volkanceylan

This comment has been minimized.

Copy link
Owner Author

@volkanceylan volkanceylan commented Oct 22, 2018

Didn't test that for upload yet, if it works for you, e.g. can see uploaded files after making that change, then you should

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.