Why does IIS 7.5 adds a trailing slash on folders?

2019-03-17 23:44发布

问题:

IIS does URL cleanup on directories by adding a trailing slash. See this old docs from IIS 6: IIS generates courtesy redirect when folder without trailing slash is requested

  1. Why? Is the intent still relevant?
  2. Any security implications?
  3. How can I disable it to make this work with a URL Rewrite rule "RemoveTrailingSlashRule"

When you add a rule under IIS 7.5 with URL Rewrite 2, the rule will not be applied to directories (using IsDirectory) and folders (using IsFolder).

See this warning on Add a rule to append or remove the trailing slash symbol:

This will create the RemoveTrailingSlashRule1:

回答1:

I have an answer for the specific case of a child IIS Application here: https://stackoverflow.com/a/25817317/292060. The child app seems to be the usual culprit, but isn't explicitly described in this question.

To try to answer the questions, here are my opinions from dealing with IIS and Microsoft for years. I don't have hard sources to cite; some of this is just gut feelings.

  1. Why? Is the intent still relevant?

I think it stemmed from the original "default document" feature, namely index.html. Websites wanted their home page to just be the domain, then this extended to subfolders. With url rewriting, the intent isn't relevant anymore - you can rewrite to your heart's content, and would rather IIS get out of the way. It's common to want friendly urls, and no trailing slash (except for the domain/website root - that is required to have a trailing slash, even if some browsers like Chrome get cute and hide it).

  1. Any security implications?

I think the only security implication was the original directory browsing. If you forgot to do a default document, and directory browsing was left turned on, then people could browse your website files. As far as I know, directory browsing has been long disabled as the default setting.

With any requests, whether trailing slash or not, url rewriting or not, your server and code need to withstand bad requests. This is true for all situations, not just specific to the slashes. http://xkcd.com/327/

  1. How can I disable it to make this work with a URL Rewrite rule "RemoveTrailingSlashRule"

I have an answer if the issue is the child application, here: https://stackoverflow.com/a/25817317/292060 The summary is, in IIS:

  • Disable the Default Document feature for the child application.
  • Using Url Rewrite, create a rule to rewrite (not redirect) an empty request to default.aspx

If this question is for a more general issue, including regular subfolders even if not a child app, consider removing the "Is Not a Directory" from the rule, and let this redirect even when it sees a directory. That may work, or may create an infinite redirect loop, I'm not sure.