Solved

Error 400 bad request:Problem with file name with multiple dot  example:  myfile....pdf

Posted on 2016-10-22
10
50 Views
Last Modified: 2016-11-29
Hello,

I have a website where user upload files, but if they upload a file with  multiple dot like  myfile...pdf then I get a 400 bad request when they try to download the file.
ASP.nET  C#

Thanks
0
Comment
Question by:arnololo123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 27

Accepted Solution

by:
skullnobrains earned 300 total points
ID: 41855146
most likely your server (IIS i assume) considers that multiple dots in an url are non legit

if that is actually your problem, a way to circumvent can be found here
https://average-joe.info/allow-dots-in-url-iis/
0
 
LVL 34

Assisted Solution

by:sarabande
sarabande earned 200 total points
ID: 41855215
myfile...pdf
in my opinion it is quite ok that those files are eliminated very early from processing since there are many if not most software which cannot reasonably handle this.

Sara
0
 

Author Comment

by:arnololo123
ID: 41855535
skullnobrains: your link is referring to  allowing dots in URL, this is not my case, I just want to download a file that can have multiple dot


Sarabande:There is nothing wrong with a filename like myfile.....pdf,  the file will open without problem.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 27

Expert Comment

by:skullnobrains
ID: 41855580
i was thinking IIS was rejecting the download url for that reason. if that's not the case the problem should be in the asp code

as a poor man's solution, can't you simply rewrite the filenames when they are uploaded in the first place ?
0
 
LVL 34

Assisted Solution

by:sarabande
sarabande earned 200 total points
ID: 41855786
There is nothing wrong with a filename like myfile.....pdf

file paths like  ../../bin/debugc/a.lib or c:\xyz\abc\..\..\temp are valid paths as well but nevertheless they would rejected by many programs which can not handle relative paths. if the programmers make it easy for them they simply check if ".." is contained in the file name.

if a filename like myfile....pdf was not processed you my claim that there is "nothing wrong" but actually you made a bet against the odds and have lost. it would be better you would try to avoid such naming which had no value in the first place.

Sara
0
 

Author Comment

by:arnololo123
ID: 41856257
The problem is that I have hundreds of file with  this issue.  So how could I handle the existing ones and how to  prevent  the issue at the time of upload? Thanks
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 300 total points
ID: 41856629
have you checked that IIS is not the one that rejects these URLs ? how ? there are high chances the you can't download because IIS does not like the URL format, and you provide zero information regarding the download link.

how to  prevent  the issue at the time of upload

search and replace on the filename in your asp code. or reject the files which do not have reasonably standard names.

how could I handle the existing ones

search for all the files containing .. and rename them. there are tons of batch remane soft that can do that and a few lines of powershell should do as well.

alternatively if you are the one generating the filelist in ASP and the download code, you can stick the same search and replace in the file list and on the names of the files to download. and if this is not feasible, you're using direct download on IIS so you should try the first solution i provided.

btw these files names are perfectly legit and there is no reason whatsoever for which any software would reject them.
0
 

Author Comment

by:arnololo123
ID: 41869098
I have never found any script that fully check  a filename to make sure it is correct. If you know one please let me know.
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 300 total points
ID: 41871585
use a regular expression or whatever custom tests you feel comfortable with and define what you deem acceptable.

there is no such script because what is correct is whatever the filesystem accepts. different filesystems accept different things and 2 consecutive dots are allowed by all the ones i know including ntfs.

what IIS does not like for whatever reason is another strory.
i assume either IIS mistakenly rejects URLS with ".." while it should reject "/../" for security reasons or the urls actually contain "/../" and it is preventing actual hacking attempts
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 41905425
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- skullnobrains (https:#a41855146)
-- skullnobrains (https:#a41856629)
-- sarabande (https:#a41855786)
-- sarabande (https:#a41855215)
-- skullnobrains (https:#a41871585)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question