IIS6 vs. IIS7 and IIS7.5: handling URLs with plus sign (+) in base (not querystring)

iis-7 iis-7.5

For any URL with a plus sign (+) in the base URL (not the querystring), IIS7 and IIS7.5 (Windows Server 2008 and 2008 R2) do not appear to forward the URL to the default handler on an ASP.NET application. I started noticing the issue with a custom HTTP handler on *.html but I have the same issue with *.aspx. IIS6 (Server 2003) has no problem with these same URLs.

To replicate the issue, in an ASP.NET site, I created a set of ASPX files that did a simple Response.Write with various names:

  1. test_something.aspx
  2. test_some+thing.aspx
  3. test_some thing.aspx

The third file was a test to see if IIS7[.5] was treating plus symbols as spaces (as it would in the querystring); this does not appear to be the case. With all of these files in place, hitting http://somehost/test_some+thing.aspx or http://somehost/test_some%2bthing.aspx will work fine in IIS6 but 404 in IIS7/IIS7.5 before getting to any ASP.NET handler. Is there some configuration in IIS7/7.5 that I am missing to get it to "see" a plus sign in the URL without missing the final extension used to determine an HTTP handler?


After searching for more combinations of IIS and plus, it appears that IIS7[.5] is set up to reject URLs with a plus sign by default out of some fear of the use of that character; that symbol is still allowed in the querystring, though. The solution is to alter the requestFiltering attribute default on <system><webServer><security><requestFiltering> to allow doubly-encoded characters with a command line call (ultimately modifying your ASP.NET web.config):

%windir%\system32\inetsrv\appcmd set config "Default Web Site" -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true

This may be a bit more dangerous than one prefers to be with their web site, but there didn't appear to be a way to be more specific than a blanket allow. The warnings were regarding the mismatching that could occur between using a plus in a URL and its typical translation as a space. It looks like the only other alternative is to stop using plus characters in your URLs at all.


I just figured out how to make a rewrite rule to convince IIS7 to map pluses to spaces in URLs. In my case it was to keep legacy bookmarks or hyperlinks working.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="True" />
    </security>
    <rewrite>
      <rules>
        <rule name="RewriteUserFriendlyURL1" stopProcessing="false">
          <match url="\+" />
          <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
          </conditions>
          <action type="Rewrite" url="{UrlDecode:{REQUEST_URI}}" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

See my blog post for further details and references.

Related

Nginx vs Apache as reverse proxy, which one to choose
Clear the Recycle Bin For All Users in Windows Server 2008 R2
Why do mobile networks have high latencies? How can they be reduced?
How to disconnect from lxc-console
Where does logrotate save its own log?
How to use Jenkins with SSL / https
What does "<service_name> dead but subsys locked" mean?
Can you lookup a domains past nameserver & mx record history?
postgres server fails to start, produces no log, how to to troubleshoot?
Failed tls handshake. Does not contain any IP SANs
Postgres error message: FATAL: Ident authentication failed for user "..."
SQL Server (2005/2008): Does full backup truncate the log in full recovery mode