<remove> Element for schemeSettings (Uri Settings)
Removes a scheme setting for a scheme name.
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
The scheme name for which this setting applies. The only supported values are name="http" and name="https".
By default, the System.Uri class un-escapes percent encoded path delimiters before executing path compression. This was implemented as a security mechanism against attacks like the following:
If this URI gets passed down to modules not handling percent encoded characters correctly, it could result in the following command being executed by the server:
c:\Windows\System32\cmd.exe /c dir c:\
For this reason, System.Uri class first un-escapes path delimiters and then applies path compression. The result of passing the malicious URL above to System.Uri class constructor results in the following URI:
This default behavior can be modified to not un-escape percent encoded path delimiters using the schemeSettings configuration option for a specific scheme.
This element can be used in the application configuration file or the machine configuration file (Machine.config).
The following code example shows a configuration used by the Uri class that removes any scheme settings for the http scheme.
<configuration> <uri> <schemeSettings> <remove name="http"/> </schemeSettings> </uri> </configuration>