Context.ReWritePath Critical Bug

[Oytun YILMAZ]

Hi I thing I have found a critical bug about ASP.NET ReWritePath Function


Here are the steps to reproduce:

I have a solution with this items:

"MasterPageWithoutUserControl.aspx"
"MasterPageWithUserControl.aspx"
"OrdinaryPage.aspx"
"OrdinaryWebControl.ascx"

in global asax I call rewritepath like this:

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Context.RewritePath("MasterPageWithoutUserControl.aspx ")
End Sub


Look careful at the end of the string there is a space (".aspx ")

This space causes aspnet_wp not to render the page so when I send a request
to OrdinaryPage.aspx I see the ACTUAL SOURCE of
MasterPageWithoutUserControl.aspx file in my browswer.



Thinks become more interesting if that MasterPage has a User Control or
Custom Control decleration at the top of the page like this:
<%@ Register TagPrefix="uc1" TagName="OrdinaryWebControl"
Src="OrdinaryWebControl.ascx" %>

When I change global.asax to:
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Context.RewritePath("MasterPageWithUserControl.aspx ")
End Sub

and request OrdinaryPage.aspx I directly see a Download File Dialog which
lets me to DOWNLOAD THE ASPX SOURCE FILE...

I use framework 1.1. I tested this on both WinXP Pro and Win2003

Has anyone experienced it before ???

-Oytun

 

[Karl]

I'm not sure if that's a critical bug in Context.RewritePath or simply a
critical bug in how you are using it. It would be nice if
Context.RewritePath checked for valid extensions I guess...but the bug can't
be easily exploited unless you are letting users input where the rewrite the
path to.

As for the download / not download thing, firefox tries to download both
cases...I think it's more of a browser setting thing.

Karl