Share via


<add> Element for schemeSettings (Uri Settings)

Adds a scheme setting for a scheme name.

<configuration> Element
  <uri> Element (Uri Settings)
    <schemeSettings> Element (Uri Settings)
      <add> Element for schemeSettings (Uri Settings)

<add 
   name = "http|https" genericUriParserOptions="DontUnescapePathDotsAndSlashes"
/>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements

Attributes

Attribute

Description

name

The scheme name for which this setting applies. The only supported values are name="http" and name="https".

{Attribute name} Attribute

Value

Description

genericUriParserOptions

The parser options for this scheme. The only supported value is genericUriParserOptions= "DontUnescapePathDotsAndSlashes".

Child Elements

None

Parent Elements

Element

Description

<schemeSettings>

Specifies how a Uri will be parsed for specific schemes.

Remarks

By default, the System.Uri class un-escapes percent encoded path delimiters before executing path compression. This was implemented as a security mechanism against attacks like the following:

https://www.contoso.com/..%2F..%2F/Windows/System32/cmd.exe?/c+dir+c:\\

If this URI gets passed down to modules not handling percent encoded characters correctly, it could result in the following command being executed by the server:

c:\Windows\System32\cmd.exe /c dir c:\

For this reason, System.Uri class first un-escapes path delimiters and then applies path compression. The result of passing the malicious URL above to System.Uri class constructor results in the following URI:

https://www.microsoft.com/Windows/System32/cmd.exe?/c+dir+c:\\

This default behavior can be modified to not un-escape percent encoded path delimiters using the schemeSettings configuration option for a specific scheme.

Configuration Files

This element can be used in the application configuration file or the machine configuration file (Machine.config).

Example

The following code example shows a configuration used by the Uri class to support not escaping percent-encoded path delimiters for the http scheme.

<configuration>
  <uri>
    <schemeSettings>
      <add name="http" genericUriParserOptions="DontUnescapePathDotsAndSlashes"/>
    </schemeSettings>
  </uri>
</configuration>

See Also

Reference

Network Settings Schema

System.Configuration.SchemeSettingElement

System.Configuration.SchemeSettingElementCollection

System.Configuration.UriSection

UriSection.SchemeSettings

System.GenericUriParserOptions

System.Uri