This url is part of a pci compliance scan and it is flagging the very sparse asp.net error page returned, which on the live site is a 500 status code and the text
Server Error in '/' Application.
Runtime Error
Description: An exception occurred while processing your request.
Additionally, another exception occurred while executing the custom
error page for the first exception. The request has been terminated.
When running the site in visual studio I however get a 404 and the text
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its
dependencies) could have been removed, had its name changed, or is
temporarily unavailable. Please review the following URL and make
sure that it is spelled correctly.Requested URL: /WEB-INF./web.xml
Version Information: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.18044
I've tried ignoring that url in routing and mapping it to our 404 route /error/not-found, we have custom errors on with a default redirect to /error/internal. I also tried using a location tag to deny access, blocking it with request filtering, and using a handler with that path to catch the request.
I tried this rewrite, also tried the same rule blocking and redirecting but I still get the same asp.net error page. The image cut off but the rule is ^.*\./.*$ and it does match the url I am trying to filter (I've also tried simply WEB-INF).
Any idea how I can get this url to show our custom error page?
Best Answer
Adding
relaxedUrlToFileSystemMapping="true"to the httpRuntime node in the web.config allowed this url to get processed by ASP.Net MVC as expected.