Home/ Questions/Q 8063523
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T11:04:08+00:00

I am trying to gain some insight into what causes a particularly odd error

  • 0

I am trying to gain some insight into what causes a particularly odd error I have been seeing. I have isolated the issue as follows:

Create an ASP.Net MVC application with a two basic controllers.

public class HasLocationController : Controller
{
   public ActionResult Index()
   {
      return View();
   }
}

public class NoLocationController : Controller
{
   public ActionResult Index()
   {
      return View();
   }
}

Add a location element to the web.config for the path ‘HasLocation’

<location path="HasLocation">
   <system.web>
      <authorization>
         <allow users="*"/>
      </authorization>
   </system.web>
</location>

Publish the site to IIS6 or IIS7 (IISExpress and WebDevServer won’t work), and attempt to browse using the following links:

http://[yourdomain]/NoLocation/%20~C:/blah.txt

http://[yourdomain]/HasLocation/%20~C:/blah.txt

For the controller that has no corresponding location element configured, you get the kind of exception message you would expect.

Exception From Controller Without Location Element

However, if you attempt the same thing on the controller with the location element, then you get this strange error:

NOTE: This only happens with the leading tilde (~) character. Without that, you get the normal error you would expect.

Error When Using Location Element

I haven’t been able to really find documentation regarding this error, but I am very interested to understand why this is happening, and how to prevent it.

ANY light you could shed on the issue would be helpful.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are virtually hundreds of answers on the internet regarding this error. Most likely it has nothing to do at all with your controllers but with:

    ~C:/blah.txt

    Specifically the : Which it probably finds as being potentially dangerous. Take a look at HttpRuntimeSection.RequestPathInvalidCharacters.

    As for the second error. It is correct, the directory HasLocation does not exist in your project. When it is created, you will get the first error. When you remove the : it will attempt to load whatever file you requestion in the HasLocation directory.

    NOTE: You MUST NOT use the location element in the web.config to security MVC application controllers, you need to use the AuthorizeAttribute or other custom attributes like it.

    Here is a Reference and any search of SO or Google will pretty much say the same thing:

    You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to use a base class with an [Authorize] attribute, and then have each controller type subclass that base type.

    Restate of whats happening:

    First Error: Your URL is throwing an error due to the HttpRuntimeSection.RequestPathInvalidCharacters.

    Second Error: It doesn’t matter if you have controllers or not. The default ASP.Net Webforms engine is trying to detect if a directory exists as you specified in the url (in your case a directory called HasDirectory) because it needs to authorize the directory access for the Webforms engine as you specified in the web.config location element. It’s not even worried about the file yet. Since this directory doesn’t exist, you get the error exactly as your image states (I’ve highlighted in green):

    Highlighted Error

    If you create the directory, then you get error #1.

    The entire ASP.Net runtime does something like this:

    1. Parse the Path necessary for the request.
    2. Validate any Authorization to the directory if it exists in the web.config location element.
    3. If it has access, get the file and parse it for whatever it is (aspx, etc)
    4. If the it doesn’t have access AND the file exists throw an exception or redirect as configured.
    5. If the file does NOT exist, ignore the location element in web.config and run the IIS catch all to determine if there is another route for the request.
    • 0