iFinity Blogs 

404 Error in IIS 7 when using a Url with a plus (+) sign in the path

by Bruce Chapman on Tuesday, March 24, 2009 4:54 PM

I recently had reported problems when using IIS7 that Urls with a + in the url were failing with 404 errors.  This was to do with the Url Master module, which often rewrites Urls to use a simple space encoding (+) rather than the messy (but still valid) %20 encoding.   Normally this is where you have a DNN module that uses a querystring value, where the querystring value gets incorporated into the path of the Url via Friendly Url generation.

As is often the case with errors, I have never heard of them and then within a week I'll get several reports of the same error, even when a particular problem has been 'in the wild' for a long period of time.  It's like the progression of systems across new technologies happens at a steady rate, so that very few people are a long way ahead and trying new things.

The problem occurs in Urls like this : www.mysite.com/my-page-name/key/value+with+spaces.aspx

This Url would be rewritten to this value : www.mysite.com/default.aspx?key=value+with+spaces

Note that with the Url Master module, while it can replace spaces in DotNetNuke page names to construct human friendly urls, it doesn't replace spaces in querystring values.  This is because the module waiting for the rewritten query string might not be expecting a change in the value, and you can't just stick hyphens in where a space is, and then remove them again.   If you did that, you'd eventually run into a case where a legitimate hyphen was removed from the query string.

Example of the Problem

To clarify the problem further, here's an example of how the problem shows up.  It involves two of my modules, the iFinity Tagger and the Url Master modules.

The Tagger module shows a listing of all tagged items when the Tag is requested in the query string, like this :


The '+' in the url is put there by the Url Master module, to make the Url look nice and simple, rather than the correct but frantically ugly:


If you're running your DotNetNuke install (or any asp.net application, for that matter) on IIS7, then you'll get an IIS 404.

Why get 404 errors with +?

The reason that this doesn't work on IIS 7.0 is that Microsoft decided to tighten up on what's legal and what's not, and implement the Url standards more strictly, for security reasons.

Solution to the Problem

The long term solution is to include a choice of space-encoding in the relevant modules, but that will take some time to implement.

The short term solution is from this blog posting:

IIS 7.0 Breaking changes for ASP.NET 2.0 applications in Integrated Mode

Here's the relevant excerpt from the page, which shows the workaround/fix.

Request limits and URL processing

The following changes result due to additional restrictions on how IIS processes incoming requests and their URLs.

11) Request URLs containing unencoded “+” characters in the path (not querystring) is rejected by default

You will receive HTTP Error 404.11 – Not Found: The request filtering module is configured to deny a request that contains a double escape sequence.

This error occurs because IIS is by default configured to reject attempts to doubly-encode a URL, which commonly represent an attempt to execute a canonicalization attack.


1) Applications that require the use of the “+” character in the URL path can disable this validation by setting the allowDoubleEscaping attribute in the system.webServer/security/requestFiltering configuration section in the application’s web.config.  However, this may make your application more vulnerable to malicious URLs:



            <requestFiltering allowDoubleEscaping="true" />



Blogs Parent Separator Crafty Code
Bruce Chapman

The craft of writing code. The outcomes from being crafty with code. Crafty Code is tales from the coding bench.

19 comment(s) so far...

Anonymous 4/9/2009

Hey thanks for this fix - I just came across exactly the same problem whilst building a site using asp.net mvc.<br><br>Having the plus character instead of spaces is a definite bonus when it comes to SEO...

Anonymous 4/24/2009

I have done the steps given above, but still i am not able to see the image on the browser.<br><br>My problem: i have created a virtual directory under the default site that contains images. Some of the image name contains a plus (+) sign in it.<br>This images come broken on the site. Machine configuration : win 2k8, IIS 7, SSRS 2008 (where the images are shown)<br><br>Please help me.<br><br>

Bruce Chapman 4/24/2009

@rency you'll have to trace back to why the images are not showing. You can always rename the image files to remove the + sign - this is the easiest way to fix a problem like that. This error is related to requests where the path has a plus sign in it, not a filename.

Anonymous 4/25/2009

hi Bruce,<br><br>Thanks for the reply, i really appreciate it...<br><br>Actually the filname appears in the path, hence the problem... i have aroud 8000 images in my application, and they keep on adding... Renaming the filname does not work for me. i have another machine with the same configuration and there it works... i am not sure how.. <br><br>is there any other way to fix it without renaming the image?

Bruce Chapman 4/25/2009

@rency if you have it working on one machine, and not the other, it's likely that it's a simple configuration setting wrong somewhere. I would systematically work through all the relevant settings between the two sites and see where they differ, then modify the settings until you can determine what is causing the error. You should also work out if it is a 500 or 404 error causing the broken image. You can do this by copying the image url into a browser window : this shoudl give you more information.

Anonymous 5/12/2009

hi<br>Refer the links <a href="<br>http://www.netomatix.com/articles/KBArticle.aspx?a=927672<br>i" rel="nofollow">www.netomatix.com/articles/KBArticle.aspx?a=927672<br>i</a> was having the same problem it worked perfectly all rite whn i followed above link<br>there is no need to change name of image<br><br><br>

Anonymous 10/31/2009

Thanks, this just solved a problem that had me tearing my hair out all morning!

Anonymous 1/4/2010

Thanks this helped me out.

Anonymous 2/20/2010

Thank you for sharing this information - I was pulling my hair out for this 404 exception :-)

Anonymous 3/18/2010

Thanks for sharing

Anonymous 12/8/2010

It's worked.<br>Thanks for sharing

Anonymous 7/29/2011

Thank you Thank you Thank you Thank you<br /><br />You saved me hours of re-doing work!!!<br /><br />I owe you a pint! :)

Anonymous 12/17/2011

Thanks! It saved us many hours of investigation!

Anonymous 4/19/2012

Awesome! Thanks.

Anonymous 7/2/2012

We fixed the + problem with the resolution provided however<br /><br />Now we are getting this error by using quotation marks around a search term<br /><br />Any help is appreciated<br /><br />Event code: 3005 <br />Event message: An unhandled exception has occurred. <br />Event time: 3/07/2012 10:06:51 a.m. <br />Event time (UTC): 2/07/2012 10:06:51 p.m. <br />Event ID: a6c7cd168c10439f995834665b1983e9 <br />Event sequence: 33 <br />Event occurrence: 1 <br />Event detail code: 0 <br /> <br />Application information: <br /> Trust level: Full <br /> Application Virtual Path: / <br /> Machine name: <br /> <br />Process information: <br /> Process ID: 3916 <br /> Process name: w3wp.exe <br /> Account name: NT AUTHORITY\NETWORK SERVICE <br /> <br />Exception information: <br /> Exception type: ArgumentException <br /> Exception message: Illegal characters in path. <br /> <br />Request information: <br /> Request URL: <a href="http://brkb-uat.biosecurity.govt.nz/search/query/"denis+cook" rel="nofollow">brkb-uat.biosecurity.govt.nz/search/query/"denis+cook</a>" <br /> Request path: /search/query/"denis+cook" <br /> User host address: <br /> User: <br /> Is authenticated: False <br /> Authentication Type: <br /> Thread account name: NT AUTHORITY\NETWORK SERVICE <br /> <br />Thread information: <br /> Thread ID: 13 <br /> Thread account name: NT AUTHORITY\NETWORK SERVICE <br /> Is impersonating: False <br /> Stack trace: at System.IO.Path.CheckInvalidPathChars(String path)<br /> at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str)<br /> at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList)<br /> at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path)<br /> at System.Web.HttpRequest.get_PhysicalPath()<br /> at iFinity.DNN.Modules.UrlMaster.Entities.UrlAction..ctor(HttpRequest request)<br /> at iFinity.DNN.Modules.UrlMaster.UrlRewriteModule.ProcessRequest(HttpContext Context, HttpRequest Request, HttpServerUtility Server, HttpResponse Response)<br /> at iFinity.DNN.Modules.UrlMaster.UrlRewriteModule.OnBeginRequest(Object sender, EventArgs e)<br /> at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()<br /> at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)<br />

Bruce Chapman 7/2/2012

@denis the problem is that all requests for the Url Master module are checked for an equivalent file on the server. The Url you've requested results in an invalid file path, which is why you get the error. Please post on the Url Master support forum and I can look into this further.

Allison 9/11/2012

thanks alot. you just saved me from a big mess i was into

Laurence 11/27/2012

Hi Bruce,<br />Thanks for sharing - I was extremely puzzled about this!<br />To clarify - does the issue only come up when spaces are added to querystring parameters, i.e. in an ASP.NET app a URL to a physical page which included a + would not raise the 404 error?

Bruce Chapman 11/27/2012

@laurence the issue only comes up when there is a + encoded space in the path of the Url. It doesn't matter for querystring parameters, only when the spaces are in the path. So example.com/this+page.aspx breaks, but example.com/this-page?key=value+value does not.

Bruce Chapman
Hi, I'm Bruce Chapman, and this is my blog. You'll find lots of information here - my thoughts about business and the internet, technical information, things I'm working on and the odd strange post or two.
Connect with Bruce Chapman on Google+

Share this page
Get more!
Subscribe to the Mailing List
Email Address:
First Name:
Last Name:
You will be sent a confirmation upon subscription

Follow me on Twitter
Stack Exchange
profile for Bruce Chapman at Stack Overflow, Q&A for professional and enthusiast programmers
Klout Profile