404.11 on "A Test Post"

chanh · June 15, 2011, 9:56pm

IIS 7 on Windows 2008 R2 with PHP 5.3.3 via FastCGI, yii-1.1.7.r3135

URL: https://domain.com:443/blog/index.php/post/2/A+Test+Post#comments

Error:

HTTP Error 404.11 - Not Found

The request filtering module is configured to deny a request that contains a double escape sequence.

I got this error every time I click on any link in Yii that has a space in them.

Has anyone come across this issue?

Thanks

chanh · June 15, 2011, 10:43pm

That error only occur when I enable pretty URL like below.

    'urlManager'=&gt;array(


    	'urlFormat'=&gt;'path',


    	'rules'=&gt;array(


    		'post/&lt;id:&#092;d+&gt;/&lt;title:.*?&gt;'=&gt;'post/view',


    		'posts/&lt;tag:.*?&gt;'=&gt;'post/index',


    		'&lt;controller:&#092;w+&gt;/&lt;action:&#092;w+&gt;'=&gt;'&lt;controller&gt;/&lt;action&gt;',


    	),

jacmoe · June 15, 2011, 10:49pm

I haven’t used IIS in 10 years…

But I think you need to set up a rewrite module:

http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/

Rupert · June 16, 2011, 7:53am

You say the problem only happens for links that have a space in them - forgive me if I’m stating the obvious, but you do know that a url cannot contain spaces don’t you?

If you want to use phrases as part of a url, you should CHtml::encode them, and when you get them as a parameter in your action, decode them to get the original phrase (CHtml::decode will be available in Yii 1.1.8, but for now you’ll have to use htmlspecialchars_decode($text,ENT_QUOTES)).

chanh · June 16, 2011, 2:50pm

I do have rewrite module install but there is no .htaccess in the "demo blog" so I would assume it does not require rewrite rule to be configure. Is that not correct?

Yes, the URL does not contain any "space" instead it has "+" in place of "space" but that is the same for using or not using URL manager but I think it is the issue with URL manager that produces an URL that contain "double escape sequence" that causes the security feature in IIS 7 to stop the code. The specific security feature that stop this double escape sequence is "allowDoubleEscaping" setting.

I tried to set "allowDoubleEscaping" to get around the issue but it only work for "localhost" but not for a full domain URL and plus it is not a good idea to disable security feature any way.

Any more idea?

Thanks

mdomba · June 17, 2011, 9:20am

Seems this is IIS problem… so maybe you would need to ask some good IIS administrator about this…

check this article for an explanation why this feature is enabled - http://blogs.iis.net/thomad/archive/2007/12/17/iis7-rejecting-urls-containing.aspx

if you decide to turn off this feature (I don’t see other options) here is how - http://support.microsoft.com/kb/942076/

chanh · June 17, 2011, 3:16pm

I did try that already and I know it works but the "+" is in the URL regardless of using URLManager or not. So the "+" in the URL is not the cause of the issue but rather, I think, is URLManager creating a URL that cause IIS to think it has violated the [color=#1C2837][size=2]"allowDoubleEscaping" security restriction.[/size][/color]

mdomba · June 17, 2011, 3:58pm

check this article - http://www.w3schools.com/TAGS/ref_urlencode.asp

chanh · June 17, 2011, 6:44pm

The "+" work fine when URLmanager is not enable.

This is case "space" or "+" is not the issue but URLManager produce a URL that cause IIS to choke.

mdomba · June 17, 2011, 7:26pm

It is…

The problem is that IIS7 rejects URLs with +… read the first link I gave you above… it say

jacmoe · June 17, 2011, 7:40pm

Why not just replace spaces with dashes?

Most slugs are dashed…

chanh · June 17, 2011, 8:59pm

That is what I thought at first but when I was able to click on the same link without URLManger enable and IIS did not redirect to 404 so that tell me that in this case "+" is not the issue.