Problem/Motivation

The current web.config doesn't relax the default requestPathInvalidCharacters settings of IIS.
This means that colons (:) in URLs are classified as invalid characters.
Because of this URLs like the one from the block management (http://wl56www523.webland.ch/drupal/web/admin/structure/block/add/block_content%3Adc5f60cf-8510-4a21-b899-641571747188/bodies?region=section_first&_wrapper_format=drupal_modal) are blocked.

Proposed resolution

Add the <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="*,%,?,\,&amp;,&lt;,&gt;" /> directive to the web.config file.
This should allow colons in URLs.

Remaining tasks

This was tested with "Microsoft-IIS/7.5" and "AspNet-Version:4.0.30319" - as I'm very unfamiliar with IIS this defintitely needs a review from someone that's more familiar with that webserver.
Another open question is if the config syntax for &,<,> is valid - I had to use &amp;,&lt;,&gt to avoid a 500 error from IIS, and it seems like the related chars are filtered properly.
However, if this is server version / configuration specific syntax we might break installations if we simply update the web.config.

User interface changes

None

API changes

None

Data model changes

None

CommentFileSizeAuthor
#16 interdiff_2895002_13-16.txt514 bytesandregp
#16 2895002-16.patch1.09 KBandregp
#13 2895002-13.patch506 bytes_pratik_
drupal-allow-colons-in-urls-on-iis.patch553 bytesdas-peter
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

das-peter created an issue. See original summary.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Kristen Pol’s picture

Kristen Pol
she/her
Primary language English
Location Santa Cruz, CA, USA
CreditAttribution: Kristen Pol at Hook 42 for Hook 42 commented
Version: 8.9.x-dev » 9.1.x-dev
Status: Needs review » Needs work
Issue tags: +Bug Smash Initiative

Thanks the issue and patch.

1) Patch applies cleanly to 9.1.x.

2) I'm unclear what " - this is uses" means. Marking back to "Needs work" for wording change. Thanks.

+++ b/web.config
@@ -1,5 +1,9 @@
+    <!-- Allow colon as separator in urls - this is uses e.g. by the block management. -->

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Issue tags: +Novice, +Needs change record

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

_pratik_’s picture

_pratik_ CreditAttribution: _pratik_ as a volunteer and at Specbee for Drupal India Association commented
FileSize
2895002-13.patch506 bytes

Updated Comment.

rpayanm’s picture

rpayanm
he/him
Primary language Spanish
CreditAttribution: rpayanm commented
Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, 13: 2895002-13.patch, failed testing. View results

andregp’s picture

andregp CreditAttribution: andregp at CI&T commented
Status: Needs work » Needs review
Issue tags: -Needs change record
FileSize
2895002-16.patch1.09 KB
interdiff_2895002_13-16.txt514 bytes

I addressed the failing test and created a Change Record (https://www.drupal.org/node/3284755)

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs Review Queue Initiative

This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.

Kicked off a D10 build but don't expect failures. Think this good for committers to take a look.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Status: Reviewed & tested by the community » Needs review

It would be good to have this reviewed by someone who uses IIS

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

Seems we can't get anyone who uses IIS to test. How best to proceed with this ticket?

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Closed (won't fix)

See related issue.