I can crash pretty much all of our EPiServer sites if i replay a request against them for a logged in user with an http request header present called X-Original-Url and it has data in it, an example request could be:

GET /page/ HTTP/1.1
Host: world.episerver.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Referer: http://clientdomain.com/somepage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: .EPiServerLogin=encryptedcookieforusergoeshere; ASP.NET_SessionId=xxxx;.ASPXROLES=yyyyy;
X-Original-URL: /page/

Doesn't matter what is in X-Original-URL, if there is anything in there EPiServer will throw a 500 error. Remove the X-Original-URL header and everything works.

Stacktrace is below; I have looked into the code and can see that EPiServer is using some MVC helpers that are specifically checking for this header so it appears that this header is actually checked. And then it appears to handle virtual paths differently if this header is there, hence the "System.Web.HttpException (0x80004005): Cannot use a leading .. to exit above the top directory."

Anyone got a fix for this? Makes it impossible to load balance the sites with a load balancer that sends the X-Original-URL to the backend webservers.

Sites running CMS R2 and Commerce R2.

System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Web.HttpException (0x80004005): Cannot use a leading .. to exit above the top directory.
   at System.Web.Util.UrlPath.ReduceVirtualPath(String path)
   at System.Web.Util.UrlPath.Reduce(String path)
   at System.Web.VirtualPath.Combine(VirtualPath relativePath)
   at System.Web.Mvc.PathHelpers.GenerateClientUrlInternal(HttpContextBase httpContext, String contentPath)
   at System.Web.Mvc.UrlHelper.GenerateUrl(String routeName, String actionName, String controllerName, RouteValueDictionary routeValues, RouteCollection routeCollection, RequestContext requestContext, Boolean includeImplicitMvcValues)
   at System.Web.Mvc.UrlHelper.GenerateUrl(String routeName, String actionName, String controllerName, String protocol, String hostName, String fragment, RouteValueDictionary routeValues, RouteCollection routeCollection, RequestContext requestContext, Boolean includeImplicitMvcValues)
   at System.Web.Mvc.UrlHelper.RouteUrl(String routeName, Object routeValues, String protocol)
   at EPiServer.Web.PageExtensions.ContextMenu.RegisterMenuScripts(Object sender, EventArgs e)
   at System.EventHandler.Invoke(Object sender, EventArgs e)
   at System.Web.UI.Page.OnInit(EventArgs e)
   at EPiServer.PageBase.OnInit(EventArgs e)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)