asp.net mvc - Any potential security risks with turning on relaxedUrlToFileSystemMapping to allow URLs having part ending with '.'?

Question

We are having an issue where our application fails when the URL has any part ending with '.' in it'; we can't avoid this due to functional requirements. The suggested solution is to turn on relaxedUrlToFileSystemMapping in web.config file. We would like to know if there are any potential security risks with this approach.

Format of failing URL: http://server.com/path1/krishnakk./path2

It returns a 404 error.

Answer 1

Even though this question is seven months old, here's an answer in case anyone else comes across a situation like this.

Regarding the security part of the question, by default relaxedUrlToFileSystemMapping is set to false, and ASP .NET assumes that the path portion of a URL is a valid NTFS file path. If you disable this by setting relaxedUrlToFileSystemMapping to true, then you are potentially opening your site up to attack because you're disabling the default protection provided by ASP .NET.

If you absolutely need to set relaxedUrlToFileSystemMapping to true you should also be sure that you validate all URLs within the constraints of your application's requirements.