Solved

Error 400 bad request:Problem with file name with multiple dot  example:  myfile....pdf

Posted on 2016-10-22
10
37 Views
Last Modified: 2016-11-29
Hello,

I have a website where user upload files, but if they upload a file with  multiple dot like  myfile...pdf then I get a 400 bad request when they try to download the file.
ASP.nET  C#

Thanks
0
Comment
Question by:arnololo123
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 26

Accepted Solution

by:
skullnobrains earned 300 total points
ID: 41855146
most likely your server (IIS i assume) considers that multiple dots in an url are non legit

if that is actually your problem, a way to circumvent can be found here
https://average-joe.info/allow-dots-in-url-iis/
0
 
LVL 33

Assisted Solution

by:sarabande
sarabande earned 200 total points
ID: 41855215
myfile...pdf
in my opinion it is quite ok that those files are eliminated very early from processing since there are many if not most software which cannot reasonably handle this.

Sara
0
 

Author Comment

by:arnololo123
ID: 41855535
skullnobrains: your link is referring to  allowing dots in URL, this is not my case, I just want to download a file that can have multiple dot


Sarabande:There is nothing wrong with a filename like myfile.....pdf,  the file will open without problem.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41855580
i was thinking IIS was rejecting the download url for that reason. if that's not the case the problem should be in the asp code

as a poor man's solution, can't you simply rewrite the filenames when they are uploaded in the first place ?
0
 
LVL 33

Assisted Solution

by:sarabande
sarabande earned 200 total points
ID: 41855786
There is nothing wrong with a filename like myfile.....pdf

file paths like  ../../bin/debugc/a.lib or c:\xyz\abc\..\..\temp are valid paths as well but nevertheless they would rejected by many programs which can not handle relative paths. if the programmers make it easy for them they simply check if ".." is contained in the file name.

if a filename like myfile....pdf was not processed you my claim that there is "nothing wrong" but actually you made a bet against the odds and have lost. it would be better you would try to avoid such naming which had no value in the first place.

Sara
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:arnololo123
ID: 41856257
The problem is that I have hundreds of file with  this issue.  So how could I handle the existing ones and how to  prevent  the issue at the time of upload? Thanks
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 300 total points
ID: 41856629
have you checked that IIS is not the one that rejects these URLs ? how ? there are high chances the you can't download because IIS does not like the URL format, and you provide zero information regarding the download link.

how to  prevent  the issue at the time of upload

search and replace on the filename in your asp code. or reject the files which do not have reasonably standard names.

how could I handle the existing ones

search for all the files containing .. and rename them. there are tons of batch remane soft that can do that and a few lines of powershell should do as well.

alternatively if you are the one generating the filelist in ASP and the download code, you can stick the same search and replace in the file list and on the names of the files to download. and if this is not feasible, you're using direct download on IIS so you should try the first solution i provided.

btw these files names are perfectly legit and there is no reason whatsoever for which any software would reject them.
0
 

Author Comment

by:arnololo123
ID: 41869098
I have never found any script that fully check  a filename to make sure it is correct. If you know one please let me know.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 300 total points
ID: 41871585
use a regular expression or whatever custom tests you feel comfortable with and define what you deem acceptable.

there is no such script because what is correct is whatever the filesystem accepts. different filesystems accept different things and 2 consecutive dots are allowed by all the ones i know including ntfs.

what IIS does not like for whatever reason is another strory.
i assume either IIS mistakenly rejects URLS with ".." while it should reject "/../" for security reasons or the urls actually contain "/../" and it is preventing actual hacking attempts
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 41905425
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- skullnobrains (https:#a41855146)
-- skullnobrains (https:#a41856629)
-- sarabande (https:#a41855786)
-- sarabande (https:#a41855215)
-- skullnobrains (https:#a41871585)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For those of you who don't follow the news, or just happen to live under rocks, Microsoft Research released a beta SDK (http://www.microsoft.com/en-us/download/details.aspx?id=27876) for the Xbox 360 Kinect. If you don't know what a Kinect is (http:…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now