CheckSuspiciousPhysicalPath issue in ASP.Net Framework 1.1 SP1 fix

Hello all,

I have come across an issue with the fix KB886903 -
http://www.microsoft.com/technet/sec.../MS05-004.mspx which is to
do with the ASP.Net path validation vulnerability. This fix is included
automatically in SP1 for Windows Server 2003 also, and I have been unable to
remove it until we can find out how to fix this problem.

The error message is below,

The path contains illegal characters.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.ArgumentException: The path contains illegal
characters.

Source Error:

An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.

Stack Trace:

[ArgumentException: The path contains illegal characters.]
System.IO.Path.nGetFullPathHelper(String path, Char[] invalidPathChars,
Char[] whitespaceChars, Char directorySeparator, Char altDirectorySeparator,
Char volumeSeparator, Boolean fullCheck, String& newPath) +0
System.IO.Path.GetFullPathInternal(String path) +165
System.IO.Path.GetFullPath(String path) +19
System.Web.HttpApplication.CheckSuspiciousPhysical Path(String
physicalPath) +19
System.Web.Configuration.HttpConfigurationSystem.C omposeConfig(String
reqPath, IHttpMapPath configmap) +175
System.Web.HttpContext.GetCompleteConfigRecord(Str ing reqpath,
IHttpMapPath configmap) +434
System.Web.HttpContext.GetCompleteConfig() +49
System.Web.HttpContext.GetConfig(String name) +195
System.Web.CustomErrors.GetSettings(HttpContext context, Boolean
canThrow) +20
System.Web.HttpResponse.ReportRuntimeError(Excepti on e, Boolean canThrow)
+39
System.Web.HttpRuntime.FinishRequest(HttpWorkerReq uest wr, HttpContext
context, Exception e) +486

The issue lies with the request we send within a frame. The requested url is
in the form http://.../page.aspx/foldera/folderb/|/pic0001

The pipe "|" character is causing us grief. If we put in %7c we still get
the same error. If you install the KB886903 patch on WinXP or Server2003 this
error occurs and IIS throws a HTTP500 error. If you uninstall it, it works
perfectly.

There is little on the internet about this error, and why we are getting it,
especially since we are not doing anything nasty with the path. Is it because
the "|" char is in System.Path.IO.InvalidPathChars array? Does this mean that
any character in this array that is in a request will throw this exception?

Any help would be fantastic, ideas ect - I'm lost as to how to deal with
this, considering we don't even get to our page before this is throw by
System.Web.dll. Can we get around it at all? Or will we be forced to change
the url itself (and how, especially since '|' is fundamental to our webapp)

Thank you - Leon

Anyone able to help at all?

"Leon" wrote:

Hello all,

I have come across an issue with the fix KB886903 -
http://www.microsoft.com/technet/sec.../MS05-004.mspx which is to
do with the ASP.Net path validation vulnerability. This fix is included
automatically in SP1 for Windows Server 2003 also, and I have been unable to
remove it until we can find out how to fix this problem.

The error message is below,

The path contains illegal characters.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.ArgumentException: The path contains illegal
characters.

Source Error:

An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.

Stack Trace:

[ArgumentException: The path contains illegal characters.]
System.IO.Path.nGetFullPathHelper(String path, Char[] invalidPathChars,
Char[] whitespaceChars, Char directorySeparator, Char altDirectorySeparator,
Char volumeSeparator, Boolean fullCheck, String& newPath) +0
System.IO.Path.GetFullPathInternal(String path) +165
System.IO.Path.GetFullPath(String path) +19
System.Web.HttpApplication.CheckSuspiciousPhysical Path(String
physicalPath) +19
System.Web.Configuration.HttpConfigurationSystem.C omposeConfig(String
reqPath, IHttpMapPath configmap) +175
System.Web.HttpContext.GetCompleteConfigRecord(Str ing reqpath,
IHttpMapPath configmap) +434
System.Web.HttpContext.GetCompleteConfig() +49
System.Web.HttpContext.GetConfig(String name) +195
System.Web.CustomErrors.GetSettings(HttpContext context, Boolean
canThrow) +20
System.Web.HttpResponse.ReportRuntimeError(Excepti on e, Boolean canThrow)
+39
System.Web.HttpRuntime.FinishRequest(HttpWorkerReq uest wr, HttpContext
context, Exception e) +486

The issue lies with the request we send within a frame. The requested url is
in the form http://.../page.aspx/foldera/folderb/|/pic0001

The pipe "|" character is causing us grief. If we put in %7c we still get
the same error. If you install the KB886903 patch on WinXP or Server2003 this
error occurs and IIS throws a HTTP500 error. If you uninstall it, it works
perfectly.

There is little on the internet about this error, and why we are getting it,
especially since we are not doing anything nasty with the path. Is it because
the "|" char is in System.Path.IO.InvalidPathChars array? Does this mean that
any character in this array that is in a request will throw this exception?

Any help would be fantastic, ideas ect - I'm lost as to how to deal with
this, considering we don't even get to our page before this is throw by
System.Web.dll. Can we get around it at all? Or will we be forced to change
the url itself (and how, especially since '|' is fundamental to our webapp)

Thank you - Leon