Did you manage to find a work-around for this?
I had to temporarily disable the right-click menu to get the sites to load without YSOD. I'm submitting a ticket to EPiServer support for this now.
EPiServer support supplied me with with a hotfix for the following bug:
#88050: Menu Url creation for Shell modules may fail under certain circumstances
Applying this solved my issues.
I can crash pretty much all of our EPiServer sites if i replay a request against them for a logged in user with an http request header present called X-Original-Url and it has data in it, an example request could be:
GET /page/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Cookie: .EPiServerLogin=encryptedcookieforusergoeshere; ASP.NET_SessionId=xxxx;.ASPXROLES=yyyyy;
Doesn't matter what is in X-Original-URL, if there is anything in there EPiServer will throw a 500 error. Remove the X-Original-URL header and everything works.
Stacktrace is below; I have looked into the code and can see that EPiServer is using some MVC helpers that are specifically checking for this header so it appears that this header is actually checked. And then it appears to handle virtual paths differently if this header is there, hence the "System.Web.HttpException (0x80004005): Cannot use a leading .. to exit above the top directory."
Anyone got a fix for this? Makes it impossible to load balance the sites with a load balancer that sends the X-Original-URL to the backend webservers.
Sites running CMS R2 and Commerce R2.