Reputation: 1119
Why can't I allow '*' characters in webapi routes safely? (or, if it can, how?)
I'm wanting to use webapi 2 inside an MVC5 project (AngularJS, not that this should make any difference) to create the following types of routes
GET api/animals/cats => return cats
GET api/animals/dogs => return dogs
GET api/animals/* => return all animals (e.g. cats+dogs)
Background: What I did to get started was the following;
- from visual studio 2013, new empty MVC application
- in controller folder, right click add new controller, select WebApi 2 controller
(apologies if this looks like too much information, just here in case different project types result in different illegal character checking. )
I want to be able to have users pass in a '*' character to indicate a wildcard, indicating all animals. To allow this, using webapi, I registered the following test route;
config.Routes.MapHttpRoute(
name: RouteNames.Animals,
routeTemplate: "api/animals/{animal}",
defaults: new { id = RouteParameter.Optional, controller = "AnimalsApi" }
);
when I test this, using postman, I receive a 400 bad request response, with the following error message;
A potentially dangerous Request.Path value was detected from the client (*).
I've read a few related blog posts suggesting that this character is evil because of various reasons, some referencing W3.org, however, the rfc1738 spec for (Uniform Resource Locators 'URL') (page3) seems to actually allow the use of '*' unescaped. extract below;
...Thus, only alphanumerics, the special characters "$-_.+!*'(),", and reserved characters used for their reserved purposes may be used unencoded within a URL...
Maybe I've misread this? '*' chars appear to have the W3's blessing, but will gleefully crash your nice clean webapi restful(?) webservice.
I really don't like the syntax of having to use queryparams to work around the problem. The following is a quick (and imho, dirty) fix -> GET api/animals/?animal=* this defeats the whole purpose of having a clean route syntax. My question is, why is '' evil? i.e. If I allow it, via requestPathInvalidCharacters in web.config, (only the '' char, none of the other 'known evil' chars, then what would I be risking? ) What pandora's box of hacking woes would I be exposed to?
Update ( after I accepted the correct answer to the question as defined above, prior to this last comment below before I go to bed! Thanks to everyone for the amazingly quick and accurate responses.)
A more interesting discussion might have been had, if I had proposed the following as the example routes; (wink)
api/animals/{type}/{location}/{sex}
...
GET api/animals/*/london/male => return all male animals in london
GET api/animals/cats/*/female => return all female cats across all locations
thanks all! cheers, A
Upvotes: 1
Views: 1955
Answers (1)
Reputation: 141678
My question is, why is '*' evil? i.e. If I allow it, via requestPathInvalidCharacters in web.config
They may have special meaning:
The asterisk ("*", ASCII 2A hex) and exclamation mark ("!" , ASCII 21 hex) are reserved for use as having special signifiance within specific schemes.
I agree with Claudio's comment, that the better option for "anything" is to just omit the term all together.
Upvotes: 3
Related Questions
- Wildcard in WebAPI Route template
- Pipe Character in ASP.NET route parameter causing 404
- ASP.NET 4 WebApi: route with back slash
- Wildcard in route attribute for webApi
- WebAPI route 404's when there is a trailing space in the URL
- Unusual [RoutePrefix] behavior in ASP.NET WebAPI
- Wildcard parameter in WebAPI routing matching where it shouldn't
- WebAPI route with period in final parameter fails
- WebAPI routing cuts wildcard parameter on a question mark
- How to modify ASP NET Web API Route matching to allow parameters with slashes inside?