Sitecore and the error page

25 Sep 2014 , last update: 24 Jun 2017

Sitecore and the error page

The Sitecore error page and error handling in .NET seem easy but there are quite some facts about some exotic error sitiuaties. In this article we describe all the exceptions specifically the errors caused by doing a request with a browser to the Microsoft IIS Web server.  We compare this with the popular open source Umbraco Microsoft .NET Content Management System.

Sitecore error pages

Sitecore has a number of error pages that are in the folder: /sitecore/service/ If you want to use these error situations nolayout, noaccess, nolicense etc then it is a good idea to patch te reference in the web.config to a location outside the Sitecore directory because you want to erase, protect the Sitecore folder on a content delivery server.

 

Sitecore and MVC, language processor Default page

The language processor has a bug that also is in Sitecore 7.2 when using MVC. if you have a url without / and with language code for example /en-us.aspx you get the /default.aspx that Sitecore supplies. You can fix that by doing the following into your Global.asax:

        protected void Application_Start()
        {
            System.Web.Routing.RouteTable.Routes.RouteExistingFiles = true;

        }

 

 

See also: http://www.sitecore.net/Community/Technical-Blogs/John-West-Sitecore-Blog/Posts/2012/11/Conflicting-Files-MVC-Routes-and-Item-Paths-in-the-Sitecore-ASPNET-CMS.aspx

Or by setting the DefaultAspxPageName see Stack Overflow

 

 Overview

ERROR

Voorbeeld URL

Reserved filenames - The resource cannot be found.

/lpt1

Dangerous Request.Path

/*

404.7 file extension filter

/jan.config

404.8 .Net filter

/web.config

404.11 Request double escape sequence

/+

Illegal characters in path /”

/”

ERROR alias exists, but points to a non-existing item

 

A potentially dangerous Request.QueryString value

/?t=<script>

A potentially dangerous Request.Form value

 

Sitecore Language Code in URL of querystring

/de-AT?sc_lang=de-AT

Max url length

 

404.15 query string is too long

 

Url with a .

/nl.aspx/nul.core

405 Method Not Allowed

/sitecore_webDAV.ashx

500 Path start with space, Configuration Error

/%20/

 

Reserved filenames

Server Error in '/' Application.


The resource cannot be found.

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly.

Requested URL: /con


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34212

COM1-9, LPT1-9, AUX, PRT, NUL, CON are reserved and give a special 404 error. This is legacy from MS-DOS, just try to make a file or directory with the name CON on Windows (NTFS) that will not work. Same for urls. Create in Umbraco or Sitecore an page with the url  /lpt1 or /lpt1.aspx that will not work the page throw an error.

 

Sitecore-lpt1-in-url

Tester issue needed? test if you can make a pages /lpt1

 

The annoying with this error is that the ASP.NET Error Pages and IIS Error Pages nothing do with this error. The Out Of the Box (OOTB) with Umbraco and Sitecore supplied config not catch this on with its own error page. URL Rewrite is an option. You can also allow the URL by: setting this in the web.config

<system.web>
    <httpRuntime relaxedUrlToFileSystemMapping="true"/>

That feels like turning off security. Almost all .NET websites have no nice error page for this urls.

See alsohttp://haacked.com/archive/2010/04/29/allowing-reserved-filenames-in-URLs.aspx

Dangerous Request.Path

Server Error in '/' Application.


A potentially dangerous Request.Path value was detected from the client (*).

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (*).

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (*).]
   System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +12352103
   System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +166

 


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34212

A *, :, &, %25, < or > in the url give 400 response error code, A Potentially Dangerous Request.Path value was detected from the client (*). This is very useful for testing where you often captures all your known errors in your application. You have now a way to get a 400 error.
The config supplied with Umbraco and Sitecore not catch this on .NET Error pages do work fine for this error.
But this error is logged in the Sitecore log, which is not fun when the log file is automatically checked for errors and trigger the monitor of dashboard.

Message: A potentially dangerous Request.Path value was detected from the client (<).
Source: System.Web
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)


If this type of errors in the Sitecore log file is an issue you can get them for example with a custom log4net filter into another log file.
This message also comes as a Warning in the Windows event log.
It is configurable in the web.config
<httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,:,&amp;,\"/>

404.7 file extension filter

HTTP Error 404.7 - Not Found

The request filtering module is configured to deny the file extension.

Most likely causes:

  • Request filtering is configured for the Web server and the file extension for this request is explicitly denied.

Things you can try:

  • Verify the configuration/system.webServer/security/requestFiltering/fileExtensions settings in applicationhost.config and web.config.

Detailed Error Information:

Module RequestFilteringModule
Notification BeginRequest
Handler StaticFile
Error Code 0x00000000
Requested URL http://sitecore8.local:80/bla.config
Physical Path C:\projects\sitecore8\Website\bla.config
Logon Method Not yet determined
Logon User Not yet determined

More Information:

This is a security feature. Do not change this feature unless the scope of the change is fully understood. If the file extension for the request should be allowed, remove the denied file extension from configuration/system.webServer/security/requestFiltering/fileExtensions.

View more information »

A URL like /Blabla.config gives a 404.7 error. The request filtering module is configured to deny the file extension. 404.7 means that the http status is 404 in. In IIS you can still use the sub number 7 to display a specific error page.

<httpErrors errorMode="Custom">
<error statusCode="404" subStatusCode="7" path="/error.html" responseMode="Redirect" />

404.8 .Net filter

HTTP Error 404.8 - Not Found

The request filtering module is configured to deny a path in the URL that contains a hiddenSegment section.

Most likely causes:

  • Request filtering is configured for the Web server and it contains a hiddenSegments section that allows the server administrator to deny access to specific directories.

Things you can try:

  • Verify configuration/system.webServer/security/requestFiltering/hiddenSegments settings in the applicationhost.config or the web.config file.

Detailed Error Information:

Module RequestFilteringModule
Notification BeginRequest
Handler StaticFile
Error Code 0x00000000
Requested URL http://sitecore8.local:80/web.config
Physical Path C:\projects\sitecore8\Website\web.config
Logon Method Not yet determined
Logon User Not yet determined

More Information:

This is a security feature. Do not change this feature unless the scope of the change is fully understood. If content should be served from a specific directory being denied by this setting, remove the denied directory from configuration/system.webServer/security/requestFiltering/hiddenSegments.

View more information »

URLs as /web.config and /bin give a 500 error.
The request filtering module is configured to deny a path in the URL That contains a hidden segment section.
You can configure each segment or add additional segments.
http://www.iis.net/configreference/system.webserver/security/requestfiltering/hiddensegments

 

404.11 Request double escape sequence

HTTP Error 404.11 - Not Found

The request filtering module is configured to deny a request that contains a double escape sequence.

Most likely causes:

  • The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.

Things you can try:

  • Verify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting in the applicationhost.config or web.confg file.

Detailed Error Information:

Module RequestFilteringModule
Notification BeginRequest
Handler PageHandlerFactory-Integrated-4.0
Error Code 0x00000000
Requested URL http://sitecore8.local:80/test+test.aspx
Physical Path C:\projects\sitecore8\Website\test+test.aspx
Logon Method Not yet determined
Logon User Not yet determined

More Information:

This is a security feature. Do not change this feature unless the scope of the change is fully understood. You should take a network trace before changing this value to confirm that the request is not malicious. If double escape sequences are allowed by the server, modify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting. This could be caused by a malformed URL sent to the server by a malicious user.

View more information »

URLs with a + character give an error for example /test+test In Sitecore you can not create items with a plus in Umbraco you can do it. the + sign in the URL is replaced by "plus" so that can not go wrong in Umbraco. However, in Sitecore, you can also configure the Link Manager to use "Use Display name as url" the display name may contain a + and then there become an invalid url put down. (In Sitecore 6.5 tested) You can allow it if you want, but then you open potential security holes.

<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true"/>
</security>
</system.webServer>

 

Illegal characters in path

Characters as a | and "give a 500 Illegal characters in path. This message comes as Error in the Sitecore log and as a warning in the Windows event log.

 

Not Found ERROR alias exists, but points to a non-existing item.

This error "ERROR alias exists, but points to a non-existing item" may be in the Sitecore log. If you make an alias folder structure, for example test/abc then you have in the alias directory a item "test" that is not linked to a item. the item below the ABC item relates to the item to which you make the alias. If you do a request to url /test you get a 404 and in the Sitecore log:
7280 13:35:46 ERROR An alias for "/test/" exists, but points to a non-existing item.

 

A potentially dangerous Request.QueryString value was detected from the client

Similar to the query string a http post can give a security error.

 

Sitecore Language Code in URL of querystring

Depending on the configuration there are 2 ways give the language to Sitecore.

1) In the query string
Try /?Sc_lang=de-DE
If you do not have this language in your Sitecore website and you do not check for invalid languages. your Sitecore website is now completely broken and there is a cookie put too remember, important to check. You can restore it by giving an existing Language code in the URL

2) Same for language codes in the URL
Try /en and or /de-DE or a languacode without content, result: site broken and the invalid language stored in a cookie. restore can be done by give a valid language in the URL. Or erase the cookie, it's a session cookie so close browser and restart browser solves it.

Max url length

The URL has a length limit, an Umbraco item name has no limit. That results in an error when crossing "The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters ". A Sitecore item name have a length limit in the web.config

<setting name="MaxItemNameLength" value="100"/>

If you create a folder structure you can still go over the url lenght limit. result a error "The length of the URL for this request Exceeds the configured maxUrlLength value." This message comes as error in the Sitecore log and as a warning in the event log
Adjustable in the web.config.

<httpRuntime maxUrlLength="1024" />

 

404.15 query string is too long

The query string has a limit, therefore you use a post instead of a query string as you form can be large. the error is
"The request filtering module is configured to deny a request where the query string is too long."

See the maxQueryStringLength and maxQueryString in the web.config http://msdn.microsoft.com/en-us/library/e1f13641%28v=vs.100%29.aspx

 

Url with a .

A . in the url also causes different behavior. Become interpreted as file extension. /test.test give a 404.0 - Not Found, this is not captured by the standard Sitecore or Umbraco 404 page. That only works with .aspx or no extension.
You can also combine it something like /nl.aspx/nul.core In Umbraco this give a Failed to map the path '/nl.aspx/nul.core. in MVC mode or The resource can not be found. In webforms. In Sitecore usually an error depending on the version and exact url. This is also reflected as a warning in the event log.

Like the + In Umbraco you can make a item with a +. but no issue filtered out. In Sitecore a + is is not allowed in a item name. If you use the display name as url in Sitecore a + result in a somewhat strangely escaped url. The + is replaced bij, -d- (in Sitecore 6.5)

405 Method Not Allowed

In Sitecore you can get a 405 with the following url /sitecore_webDAV.ashx

http://www.sitecore.net/sitecore_webDAV.ashx

You may also use a prefixes for example /hypotheek.aspx/sitecore_webDAV.ashx

Or try /sitecore_feed.ashx on a Sitecore website although no error code but a little strange.
http://www.sitecore.net/sitecore_feed.ashx

The above urls and a few others are in the Sitecore web.config

See the Sitecore Security Hardening Guide:

Disabling Client RSS Feeds
If your Sitecore installation contains sensitive information that you want to protect, you can disable Sitecore client RSS feeds. To disable Sitecore client feeds:
1. Open the web.config file.
2. Locate the <httpHandlers> section. Depending on your IIS pool, this section may be called Handlers.
3. Remove the following handler:
<add verb="*" path="sitecore_feed.ashx" type="Sitecore.Shell.Feeds.FeedRequestHandler, Sitecore.Kernel"/>
Removing this handler disables all the client feeds that are available inside Sitecore. However, any public RSS feeds that you have created are still available to Website visitors.

500 Path start with space, Configuration Error

An url like / / or /%20/ give in .NET a 500 error. Also Sitecore and Umbraco give a 500 error insted of the expected 404 not found.

If you want to display a nice user friendly error message, you see the customErrors are not working in the web.config.

"Runtime Error Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated."

For this you need to do it on netwerk level, (F5 load balancer) or use IIS level error settings rather than ASP.NET

Below <system.webServer>

<httpErrors errorMode="Custom" existingResponse="Replace">
        <clear/>
        <error statusCode="500" path="error.html" responseMode="File"/>
</httpErrors>