Azure websites throw 500 error when there is a colon in the URL

Question

External clients are hitting my Azure website with urls that contain the colon (:) character. The request are not valid, but on my old IIS server it would give a 404 error. On Azure, the same URL will give a 500 error. This wastes my time, as I have to check the logs. This is an example of a request:

http://www.example.com/http:/www.example.com

Is there any way of avoiding this behaviour on the server side, and give 4xx error instead? Keep in mind, this problem is on Azure only, and I do not control the requests.

Answer 1

If you are running a .NET application, then this is caused by ASP.NET HTTP runtime, more specifically by its request filtering feature.

If the URL path contains any of the disallowed characters (<,>,*,%,&,:,\,?), the runtime throws the exception and because of the exception the IIS returns error code 500.

System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (:).

You can configure disallowed characters in your web.config file.

<system.web>
    <httpRuntime targetFramework="4.5" requestPathInvalidCharacters="*,%" />
</system.web>

But i would be careful, because there might be some security implications of such change.