9

Is there a way to block access (404) to the Razor views in MVC 3 beta 1? When I create a brand new blank site (IIS7) and then access /views/home/index.cshtml from the browser, instead of the 404 I get this

    [InvalidCastException: Unable to cast object of type 'ASP.Index_cshtml' to type 'System.Web.IHttpHandler'.]
   System.Web.WebPages.WebPageHttpHandler.CreateFromVirtualPath(String virtualPath, VirtualPathFactoryManager virtualPathFactoryManager) +56
   System.Web.WebPages.WebPageRoute.DoPostResolveRequestCache(HttpContextBase context) +253
   System.Web.WebPages.WebPageHttpModule.OnApplicationPostResolveRequestCache(Object sender, EventArgs e) +89
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

By default the web.config file in the views folder is set to block all file requests, but obviously this request is still getting through.

Steps to reproduce:
File -> New Project
ASP.NET MVC 3 Web Application
Internet Application (Razor)
F5
Navigate to /views/home/index.cshtml

Improve this question
5
  • Could you provide the full stack trace? Commented Oct 13, 2010 at 19:38
  • Updated with full stack trace and steps to reproduce. Commented Oct 13, 2010 at 20:53
  • Thanks, I can confirm this is a valid bug. Commented Oct 13, 2010 at 23:04
  • What happen if you ignore the route in the global.asax? routes.IgnoreRoute("{resource}.cshtml/{*pathInfo}"); Commented Nov 16, 2010 at 19:27
  • I already tried so but nothing changed. Commented Nov 17, 2010 at 16:31

3 Answers 3

Reset to default
9

I'm a dev lead on the ASP.NET team working on both ASP.NET MVC 3 and ASP.NET Web Pages and Razor.

This is not entirely fixed in ASP.NET MVC 3 RC, but it will be fully fixed in ASP.NET MVC 3 RTM.

There is nothing "terribly bad" that happens in ASP.NET MVC 3 RC or earlier: The worst that can happen is that someone can detect whether a view exists in your app - but they cannot get it to run (due to that weird exception). This is a slight security issue in that it is a form of information disclosure, but it is not a very severe issue.

In ASP.NET MVC 3 RTM all Razor views in ~/Views/... as well as any Razor views within an MVC Area are 100% blocked and will not be directly runnable by the browser. They will only be runnable as MVC view pages.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

You could probably use some kind of rewrite rules in web.config to redirect the user from the directly linked .cshtml to the actual action or just redirect/rewrite it to a 404 page.

<system.webServer>
    <rewrite>
        <rules>
            <rule name="rule1" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*.cshtml" />
                <action type="Redirect" url="http://www.example.com/some404.html" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

Update: A more complex version. This will take a URL like views/home/index.cshtml?key=value and redirect it to home/index?key=value. It's a 301 redirect, but it can also be a Rewrite or some other http status code - more here

<rule name="cshtml" stopProcessing="true">
    <match url="^views/([^/]+)/([^.]+)\.(?:cshtml|aspx)" />
    <action type="Redirect" url="{R:1}/{R:2}" />
</rule>

Of course this works without the query string (the ?key=value part). The only drawback of this is that web.config does not know about your registered routes (usually in Global.asax.cs). And, to my knowledge, there is now way it could. For that you'll have to write some custom code. Look at this article by Phil Haack and the source code that goes with it.

Improve this answer

1 Comment

That does not solve the problem – I don't want to ignore these or display 404 error pages but display them ...
3

For those migrated from MVC3 RC into RTM, make sure you look into the \views\web.config, and add the following config

  <appSettings>
    <add key="webpages:Enabled" value="false" />
  </appSettings>

This is will make sure all the view files (*.cshtml) return 404 not found.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.