I'd like to block requests to any .php or .cgi regardless of the pathing information.
我想要阻止对任何.php或.cgi的请求,而不考虑路径信息。
For example, when the following url is used:
例如,当使用以下url时:
http://mysite/Admin/Scripts/Setup.php
http://mysite/Admin/Scripts/Setup.php
It matches an existing route:
它匹配现有的路线:
routeCollection.MapRoute("Admin", "admin/{controller}/{action}/{uid}/{*pathInfo}", new { controller = "Admin", action = "Index", uid = "" });
However there is no controller for scripts so MVC throws the following:
但是由于没有脚本的控制器,所以MVC抛出了以下内容:
The IControllerFactory '' did not return a controller for a controller named 'scripts'.
IControllerFactory“没有为名为‘scripts’的控制器返回控制器。”
What I'd really prefer is that the request is simply met with a hard fail before MVC ever got to the controller.
我真正希望的是,在MVC到达控制器之前,请求会遇到一个很难的失败。
I know that I can do this by hooking the Application_BeginRequest in the Global.asax and throwing a new HttpException(404, "Not Found") but that's not quite the elegant solution I'm looking for.
我知道我可以通过在全局中连接Application_BeginRequest来实现这一点。asax和抛出一个新的HttpException(404,“Not Found”),但这并不是我想要的优雅的解决方案。
I was really hoping that this would work:
我真的希望这能奏效:
routeCollection.IgnoreRoute("{resource}.php/{*pathInfo}");
But it doesn't.
但它不是。
NOTE: Sean Lynch's answer works great but I still would really like a System.Web.Routing or System.Web.Mvc based solution. That way I can allow my users to add their own exclusions at runtime.
注:肖恩·林奇的回答很好,但我还是想要一个System.Web。路由或包含。基于Mvc的解决方案。这样,我可以允许我的用户在运行时添加他们自己的排除。
4 个解决方案
#1
7
If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:
如果托管提供者支持IIS7 URL重写模块,那么您可以查看以下链接:
http://learn.iis.net/page.aspx/499/request-blocking---rule-template/
http://learn.iis.net/page.aspx/499/request-blocking---rule-template/
Update here is what you would put into your web.config in the system.webserver section:
这里的更新是你将会放到你的网上。系统中配置。网络服务器:
<system.webServer>
<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard">
<match url="*" />
<conditions>
<add input="{URL}" pattern="*.php*" />
</conditions>
<action type="CustomResponse" statusCode="403" />
</rule>
</rules>
</rewrite>
</system.webServer>
#2
15
I know this is an old post but if you're looking for an ignore route for php requests (and some others) including requests within sub folders then I have found the code below works well (adapted from the ignore routes post from Phil Haack)
我知道这是一个旧的帖子,但是如果你在寻找php请求的忽略路线(还有一些其他的),包括子文件夹中的请求,那么我发现下面的代码很好用(根据Phil Haack的《忽略路由》)
I also added a specific ignore route for the occasional apple touch icon request (using a wildcard for the different dimensions) and allowed for the different file extensions for the favicon (Google toolbar and some other browsers look for png and gif favicons).
我还为偶尔的苹果触摸图标请求添加了一个特定的忽略路径(使用不同维度的通配符),并为favicon添加了不同的文件扩展名(谷歌工具栏和其他一些浏览器寻找png和gif图标)。
Of course you could add an ignore route for all image file extensions but in my case I still want to route some of the other requests.
当然,您可以为所有映像文件扩展添加忽略路由,但在我的示例中,我仍然希望路由其他一些请求。
routes.IgnoreRoute("{*allphp}", new { allphp = @".*\.php(/.*)?" });
routes.IgnoreRoute("{*allcgi}", new { allcgi = @".*\.cgi(/.*)?" });
routes.IgnoreRoute("{*allaspx}", new { allaspx = @".*\.aspx(/.*)?" });
routes.IgnoreRoute("{*favicons}", new { favicons = @".*favicon\.(ico|gif|png)(/.*)?" });
routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-.*\.png(/.*)?" });
Despite having these ignore routes, I still think that using request blocking for php files is preferable if you have access to do it.
尽管有这些忽略路由,但我仍然认为,如果您有访问权限,那么最好对php文件使用请求阻塞。
#3
0
I found How to ignore route in asp.net forms url routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.
我发现了如何忽略asp.net forms url路由中可能适用的路由,它使用了StopRoutingHandler类,并且只要对.php的请求在路由中运行,这很可能是有效的。
If the .php requests are not going through the routing handler then this probably wouldn't work.
如果.php请求没有通过路由处理程序,那么这可能不会工作。
#4
0
You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.
你甚至可以在它使用微软的UrlScan ISAPI过滤器访问IIS之前阻止这些扩展。
#1
7
If you hosting provider supports the IIS7 URL Rewrite module then you could check out this link:
如果托管提供者支持IIS7 URL重写模块,那么您可以查看以下链接:
http://learn.iis.net/page.aspx/499/request-blocking---rule-template/
http://learn.iis.net/page.aspx/499/request-blocking---rule-template/
Update here is what you would put into your web.config in the system.webserver section:
这里的更新是你将会放到你的网上。系统中配置。网络服务器:
<system.webServer>
<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard">
<match url="*" />
<conditions>
<add input="{URL}" pattern="*.php*" />
</conditions>
<action type="CustomResponse" statusCode="403" />
</rule>
</rules>
</rewrite>
</system.webServer>
#2
15
I know this is an old post but if you're looking for an ignore route for php requests (and some others) including requests within sub folders then I have found the code below works well (adapted from the ignore routes post from Phil Haack)
我知道这是一个旧的帖子,但是如果你在寻找php请求的忽略路线(还有一些其他的),包括子文件夹中的请求,那么我发现下面的代码很好用(根据Phil Haack的《忽略路由》)
I also added a specific ignore route for the occasional apple touch icon request (using a wildcard for the different dimensions) and allowed for the different file extensions for the favicon (Google toolbar and some other browsers look for png and gif favicons).
我还为偶尔的苹果触摸图标请求添加了一个特定的忽略路径(使用不同维度的通配符),并为favicon添加了不同的文件扩展名(谷歌工具栏和其他一些浏览器寻找png和gif图标)。
Of course you could add an ignore route for all image file extensions but in my case I still want to route some of the other requests.
当然,您可以为所有映像文件扩展添加忽略路由,但在我的示例中,我仍然希望路由其他一些请求。
routes.IgnoreRoute("{*allphp}", new { allphp = @".*\.php(/.*)?" });
routes.IgnoreRoute("{*allcgi}", new { allcgi = @".*\.cgi(/.*)?" });
routes.IgnoreRoute("{*allaspx}", new { allaspx = @".*\.aspx(/.*)?" });
routes.IgnoreRoute("{*favicons}", new { favicons = @".*favicon\.(ico|gif|png)(/.*)?" });
routes.IgnoreRoute("{*allappleicon}", new { allappleicon = @"apple-touch-icon-.*\.png(/.*)?" });
Despite having these ignore routes, I still think that using request blocking for php files is preferable if you have access to do it.
尽管有这些忽略路由,但我仍然认为,如果您有访问权限,那么最好对php文件使用请求阻塞。
#3
0
I found How to ignore route in asp.net forms url routing which might work for this, it uses the StopRoutingHandler class, and as long as the requests to .php do run through the routing this will probably work.
我发现了如何忽略asp.net forms url路由中可能适用的路由,它使用了StopRoutingHandler类,并且只要对.php的请求在路由中运行,这很可能是有效的。
If the .php requests are not going through the routing handler then this probably wouldn't work.
如果.php请求没有通过路由处理程序,那么这可能不会工作。
#4
0
You could block these extensions before it even hits IIS with Microsoft's UrlScan ISAPI Filter.
你甚至可以在它使用微软的UrlScan ISAPI过滤器访问IIS之前阻止这些扩展。