Vulnerability in EPiServer.Forms
I am having problems setting up a custom 404 page in an EPiServer 7 webforms website.I have a page in the CMS which I use for the 404 page. I have configured my web.config like this:
<customErrors mode="Off" />
<httpErrors existingResponse="Replace" errorMode="Custom">
<remove statusCode="404" />
<error statusCode="404" path="/404" responseMode="ExecuteURL" />
When I navigate to a missing page on the website (i.e http://mysite.local/cheese), two things happen:
I expect the 200 status code as this point but am total confused about how the url has been constructed for the 404 (as in why the hostname and port has been added - the original request did not contain a port number)
Anyhow, to turn the 200 status code into a 404, I add the following code to my 404 template:
Response.StatusCode = 404;
Now when I perform a request for http://mysite.local/cheese I get stuck in a redirection loop:
Request 1: http://mysite.local/cheeseR2: http://mysite.local/404/?404;http://mysite.local:80/cheeseR3: http://mysite.local/404/?404;http://mysite.local:80/404/?404;http://mysite.local:80/cheeseR4: http://mysite.local/404/?404;http://mysite.local:80/404/?404;http://mysite.local:80/404/?404;http://mysite.local:80/cheese
I have used this method for 404 pages many times on previous EPi 6 R2 sites. The only difference now is that I am using EPiServer 7 (Patch 3) and .NET 4.5.
I can see a similar thread exists for EPi7 MVC sites where a custom controller and route is required. Do I need to-do the same for a webforms project and if so can anybody help with how?
I usually go with this setup for a 404:
Plus having an ordinary EPiServer Page with the path /404/.
Remember to add HTTP Errors as Feature to your IIS. It's usually found among "Common HTTP Features".
With HTTP Errors installed you can also use the IIS Manager to tweak your settings and it'll save to your web.config.
I hope it's a push in the right direction.
Thanks Alf - Thats it!
The trailing forward slash on the end of the 404 url was the problem, without it, a redirection loop occurs.
A bit strange as this was not the case in EPi 6. It seems in EPi 7, all urls end with a forward slash.