CODEWITHSUNDEEP
asp.net
Robert Hill
Robert Hill

Reputation: 353

Error: A potentially dangerous Request.Path value was detected from the client (&)

I'm getting this error when attempting to set the Uri to the SSRS 2014 Report Server Uri. Here's the code where the error occurs.

mReportViewer.ServerReport.ReportServerUrl = New System.Uri("http://MONROE:80/ReportServer_SQL2014")

This is on a new ASP.NET 4.0 web application that I am testing before release. The exact same code executes fine under the current production version of this web application which is .NET 3.5.

I can't see what's dangerous about this URL. I'm wondering if it could be something else that's causing the error, however, this appears to be the offending line of code because if I comment this out, the page loads normally (albeit without rendering the report).

Any thoughts??

---- UPDATE - 5/3/2018

Removing the :80 (not really needed) _ from the report server name solved the issue with the illegal path name, but now I'm getting another strange error. enter image description here

The really strange thing is that this same web application and report viewer works fine on my development machine using IIS Express. Also, this report URL works fine in the production version under ASP.NET 3.5.

Any ideas on what path or file name is the concern here, because http://MONROE/ReportServer_SQL2014 is definitely not 248 characters in length!

Here's the code for the Application_BeginRequest procedure...

   Sub Application_BeginRequest(ByVal Sender As Object, ByVal E As EventArgs)
    ' This solves a vulnerability issue
    ' Microsoft Knowledge Base (KB) article 887459, "Programmatically Checking for Canonicalization Issues with ASP.NET,"
    If (Request.Path.IndexOf(Chr(92)) >= 0 Or
      System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) Then

        Throw New HttpException(404, "Not Found")
    End If
    ' The following line must be restored when moving to production on a site with a secure certificate
    If ((Not HttpContext.Current.Request.IsSecureConnection) And (Not HttpContext.Current.Request.IsLocal)) Then
        Response.Redirect("https://" & Request.ServerVariables("HTTP_HOST") & HttpContext.Current.Request.RawUrl)
    End If

Upvotes: 0

Views: 4805

Answers (1)

Mohsin Mehmood
Mohsin Mehmood

Reputation: 4236

I believe the issue is caused due to underscore (_) in the report server url.

Can you try adding the following code in web.config

<system.web>
    <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

Upvotes: 1

Related Questions