Reputation: 20937
How do I disable ASP.NET Core's "Razor Pages"?
We use ASP.NET Core's "MVC", but not the new "Razor Pages".
I know they get served from /Pages by default, so at runtime (!!) I dropped some razor pages in there to see what would happen - and to my surprise they were served without doing anything futher!
This is a major security risk for us. On the production server, some malicious actor could drop razor pages into the correct directory, and then do considerable damage.
I assumed they could be disabled, but found nothing about this.
How can I completely disable "Razor Pages"?
Upvotes: 1
Views: 1318
Answers (1)
Reputation: 20937
Comments above by @CodeCaster say they can't be disabled, so I thought of a hacky workaround - change the directory to something random:
services
.AddMvc();
.WithRazorPagesRoot("/" + generateRandomString());
This isn't foolproof though - it won't stop someone who is determined enough to mess with your dlls.
(If they can be disabled, add your answer and I'll accept it.)
Upvotes: 2
Related Questions
- ASP.NET Core 2 - ReSharper "Create Razor View" adds new view to Pages folder
- .NET Core Razor pages change pages to anonymous
- ASP.NET Core 2.1 Identity: How to remove the Default UI razor pages?
- Disable prebuilt Razor UI pages after scaffolding identity
- Razor Pages Default Page in aspnetcore 2
- ASP.Net Core 2 - How can I get Visual Studio Code to detect Razor Pages?
- How to exclude layout?
- Use MVC Razor pages in Asp.Net Core 2.1 console application
- ASP.NET Core 2.0 Razor Pages using AddMvcCore() instead of AddMvc()
- How to explicitly deactivate Razor code