25 Sep 2014 , last update: 30 Jan 2022
Sitecore and the error page
The Sitecore error page and error handling in .NET seem easy but there are quite some facts about some exotic error sitiuaties. In this article we describe all the exceptions specifically the errors caused by doing a request with a browser to the Microsoft IIS Web server. We compare this with the popular open source Umbraco Microsoft .NET Content Management System.
Sitecore error pages
Sitecore has a number of error pages that are in the folder: /sitecore/service/ If you want to use these error situations nolayout, noaccess, nolicense etc then it is a good idea to patch te reference in the web.config to a location outside the Sitecore directory because you want to erase, protect the Sitecore folder on a content delivery server.
Sitecore and MVC, language processor Default page
The language processor has a bug that also is in Sitecore 7.2 when using MVC. if you have a url without / and with language code for example /en-us.aspx you get the /default.aspx that Sitecore supplies. You can fix that by doing the following into your Global.asax:
protected void Application_Start()
{
System.Web.Routing.RouteTable.Routes.RouteExistingFiles = true;
}
See also: http://www.sitecore.net/Community/Technical-Blogs/John-West-Sitecore-Blog/Posts/2012/11/Conflicting-Files-MVC-Routes-and-Item-Paths-in-the-Sitecore-ASPNET-CMS.aspx
Or by setting the DefaultAspxPageName see Stack Overflow
Overview
|
ERROR
|
Voorbeeld URL
|
|
Reserved filenames - The resource cannot be found.
|
/lpt1
|
|
Dangerous Request.Path
|
/*
|
|
404.7 file extension filter
|
/jan.config
|
|
404.8 .Net filter
|
/web.config
|
|
404.11 Request double escape sequence
|
/+
|
|
Illegal characters in path /”
|
/”
|
|
ERROR alias exists, but points to a non-existing item
|
|
|
A potentially dangerous Request.QueryString value
|
/?t=<script>
|
|
A potentially dangerous Request.Form value
|
|
|
Sitecore Language Code in URL of querystring
|
/de-AT?sc_lang=de-AT
|
|
Max url length
|
|
|
404.15 query string is too long
|
|
|
Url with a .
|
/nl.aspx/nul.core
|
|
405 Method Not Allowed
|
/sitecore_webDAV.ashx
|
|
500 Path start with space, Configuration Error
|
/%20/
|
Reserved filenames
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /con
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34212
COM1-9, LPT1-9, AUX, PRT, NUL, CON are reserved and give a special 404 error. This is legacy from MS-DOS, just try to make a file or directory with the name CON on Windows (NTFS) that will not work. Same for urls. Create in Umbraco or Sitecore an page with the url /lpt1 or /lpt1.aspx that will not work the page throw an error.
Tester issue needed? test if you can make a pages /lpt1
The annoying with this error is that the ASP.NET Error Pages and IIS Error Pages nothing do with this error. The Out Of the Box (OOTB) with Umbraco and Sitecore supplied config not catch this on with its own error page. URL Rewrite is an option. You can also allow the URL by: setting this in the web.config
<system.web>
<httpRuntime relaxedUrlToFileSystemMapping="true"/>
That feels like turning off security. Almost all .NET websites have no nice error page for this urls.
See also: http://haacked.com/archive/2010/04/29/allowing-reserved-filenames-in-URLs.aspx
Dangerous Request.Path
Server Error in '/' Application.
A potentially dangerous Request.Path value was detected from the client (*).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (*).
Source Error:
| An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. |
Stack Trace:
[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (*).]
System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +12352103
System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +166
|
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34212
A *, :, &, %25, < or > in the url give 400 response error code, A Potentially Dangerous Request.Path value was detected from the client (*). This is very useful for testing where you often captures all your known errors in your application. You have now a way to get a 400 error.
The config supplied with Umbraco and Sitecore not catch this on .NET Error pages do work fine for this error.
But this error is logged in the Sitecore log, which is not fun when the log file is automatically checked for errors and trigger the monitor of dashboard.
Message: A potentially dangerous Request.Path value was detected from the client (<).
Source: System.Web
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
If this type of errors in the Sitecore log file is an issue you can get them for example with a custom log4net filter into another log file.
This message also comes as a Warning in the Windows event log.
It is configurable in the web.config
<httpRuntime requestPathInvalidCharacters="<,>,*,%,:,&,\"/>
see ASP.NET request validation errors
404.7 file extension filter
HTTP Error 404.7 - Not Found
The request filtering module is configured to deny the file extension.
Most likely causes:
- Request filtering is configured for the Web server and the file extension for this request is explicitly denied.
Things you can try:
- Verify the configuration/system.webServer/security/requestFiltering/fileExtensions settings in applicationhost.config and web.config.
Detailed Error Information:
| Module |
RequestFilteringModule |
| Notification |
BeginRequest |
| Handler |
StaticFile |
| Error Code |
0x00000000 |
| Requested URL |
http://sitecore8.local:80/bla.config |
| Physical Path |
C:\projects\sitecore8\Website\bla.config |
| Logon Method |
Not yet determined |
| Logon User |
Not yet determined |
More Information:
This is a security feature. Do not change this feature unless the scope of the change is fully understood. If the file extension for the request should be allowed, remove the denied file extension from configuration/system.webServer/security/requestFiltering/fileExtensions.
View more information »
A URL like /Blabla.config gives a 404.7 error. The request filtering module is configured to deny the file extension. 404.7 means that the http status is 404 in. In IIS you can still use the sub number 7 to display a specific error page.
<httpErrors errorMode="Custom">
<error statusCode="404" subStatusCode="7" path="/error.html" responseMode="Redirect" />
404.8 .Net filter
HTTP Error 404.8 - Not Found
The request filtering module is configured to deny a path in the URL that contains a hiddenSegment section.
Most likely causes:
- Request filtering is configured for the Web server and it contains a hiddenSegments section that allows the server administrator to deny access to specific directories.
Things you can try:
- Verify configuration/system.webServer/security/requestFiltering/hiddenSegments settings in the applicationhost.config or the web.config file.
Detailed Error Information:
| Module |
RequestFilteringModule |
| Notification |
BeginRequest |
| Handler |
StaticFile |
| Error Code |
0x00000000 |
| Requested URL |
http://sitecore8.local:80/web.config |
| Physical Path |
C:\projects\sitecore8\Website\web.config |
| Logon Method |
Not yet determined |
| Logon User |
Not yet determined |
More Information:
This is a security feature. Do not change this feature unless the scope of the change is fully understood. If content should be served from a specific directory being denied by this setting, remove the denied directory from configuration/system.webServer/security/requestFiltering/hiddenSegments.
View more information »
URLs as /web.config and /bin give a 500 error.
The request filtering module is configured to deny a path in the URL That contains a hidden segment section.
You can configure each segment or add additional segments.
http://www.iis.net/configreference/system.webserver/security/requestfiltering/hiddensegments
404.11 Request double escape sequence
HTTP Error 404.11 - Not Found
The request filtering module is configured to deny a request that contains a double escape sequence.
Most likely causes:
- The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.
Things you can try:
- Verify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting in the applicationhost.config or web.confg file.
Detailed Error Information:
| Module |
RequestFilteringModule |
| Notification |
BeginRequest |
| Handler |
PageHandlerFactory-Integrated-4.0 |
| Error Code |
0x00000000 |
| Requested URL |
http://sitecore8.local:80/test+test.aspx |
| Physical Path |
C:\projects\sitecore8\Website\test+test.aspx |
| Logon Method |
Not yet determined |
| Logon User |
Not yet determined |
More Information:
This is a security feature. Do not change this feature unless the scope of the change is fully understood. You should take a network trace before changing this value to confirm that the request is not malicious. If double escape sequences are allowed by the server, modify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting. This could be caused by a malformed URL sent to the server by a malicious user.
View more information »
URLs with a + character give an error for example /test+test In Sitecore you can not create items with a plus in Umbraco you can do it. the + sign in the URL is replaced by "plus" so that can not go wrong in Umbraco. However, in Sitecore, you can also configure the Link Manager to use "Use Display name as url" the display name may contain a + and then there become an invalid url put down. (In Sitecore 6.5 tested) You can allow it if you want, but then you open potential security holes.
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true"/>
</security>
</system.webServer>
Illegal characters in path
Characters as a | and "give a 500 Illegal characters in path. This message comes as Error in the Sitecore log and as a warning in the Windows event log.
Not Found ERROR alias exists, but points to a non-existing item.
This error "ERROR alias exists, but points to a non-existing item" may be in the Sitecore log. If you make an alias folder structure, for example test/abc then you have in the alias directory a item "test" that is not linked to a item. the item below the ABC item relates to the item to which you make the alias. If you do a request to url /test you get a 404 and in the Sitecore log:
7280 13:35:46 ERROR An alias for "/test/" exists, but points to a non-existing item.
A potentially dangerous Request.QueryString value was detected from the client
Similar to the query string a http post can give a security error.
Sitecore Language Code in URL of querystring
Depending on the configuration there are 2 ways give the language to Sitecore.
1) In the query string
Try /?Sc_lang=de-DE
If you do not have this language in your Sitecore website and you do not check for invalid languages. your Sitecore website is now completely broken and there is a cookie put too remember, important to check. You can restore it by giving an existing Language code in the URL
2) Same for language codes in the URL
Try /en and or /de-DE or a languacode without content, result: site broken and the invalid language stored in a cookie. restore can be done by give a valid language in the URL. Or erase the cookie, it's a session cookie so close browser and restart browser solves it.
Max url length
The URL has a length limit, an Umbraco item name has no limit. That results in an error when crossing "The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters ". A Sitecore item name have a length limit in the web.config
<setting name="MaxItemNameLength" value="100"/>
If you create a folder structure you can still go over the url lenght limit. result a error "The length of the URL for this request Exceeds the configured maxUrlLength value." This message comes as error in the Sitecore log and as a warning in the event log
Adjustable in the web.config.
<httpRuntime maxUrlLength="1024" />
404.15 query string is too long
The query string has a limit, therefore you use a post instead of a query string as you form can be large. the error is
"The request filtering module is configured to deny a request where the query string is too long."
See the maxQueryStringLength and maxQueryString in the web.config http://msdn.microsoft.com/en-us/library/e1f13641%28v=vs.100%29.aspx
Url with a .
A . in the url also causes different behavior. Become interpreted as file extension. /test.test give a 404.0 - Not Found, this is not captured by the standard Sitecore or Umbraco 404 page. That only works with .aspx or no extension.
You can also combine it something like /nl.aspx/nul.core In Umbraco this give a Failed to map the path '/nl.aspx/nul.core. in MVC mode or The resource can not be found. In webforms. In Sitecore usually an error depending on the version and exact url. This is also reflected as a warning in the event log.
Like the + In Umbraco you can make a item with a +. but no issue filtered out. In Sitecore a + is is not allowed in a item name. If you use the display name as url in Sitecore a + result in a somewhat strangely escaped url. The + is replaced bij, -d- (in Sitecore 6.5)
405 Method Not Allowed
In Sitecore you can get a 405 with the following url /sitecore_webDAV.ashx
http://www.sitecore.net/sitecore_webDAV.ashx
You may also use a prefixes for example /hypotheek.aspx/sitecore_webDAV.ashx
Or try /sitecore_feed.ashx on a Sitecore website although no error code but a little strange.
http://www.sitecore.net/sitecore_feed.ashx
The above urls and a few others are in the Sitecore web.config
See the Sitecore Security Hardening Guide:
Disabling Client RSS Feeds
If your Sitecore installation contains sensitive information that you want to protect, you can disable Sitecore client RSS feeds. To disable Sitecore client feeds:
1. Open the web.config file.
2. Locate the <httpHandlers> section. Depending on your IIS pool, this section may be called Handlers.
3. Remove the following handler:
<add verb="*" path="sitecore_feed.ashx" type="Sitecore.Shell.Feeds.FeedRequestHandler, Sitecore.Kernel"/>
Removing this handler disables all the client feeds that are available inside Sitecore. However, any public RSS feeds that you have created are still available to Website visitors.
500 Path start with space, Configuration Error
An url like / / or /%20/ give in .NET a 500 error. Also Sitecore and Umbraco give a 500 error insted of the expected 404 not found.
If you want to display a nice user friendly error message, you see the customErrors are not working in the web.config.
"Runtime Error Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated."
For this you need to do it on netwerk level, (F5 load balancer) or use IIS level error settings rather than ASP.NET
Below <system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace">
<clear/>
<error statusCode="500" path="error.html" responseMode="File"/>
</httpErrors>
