<remove> Element for schemeSettings (Uri Settings)
Collapse the table of content
Expand the table of content

<remove> Element for schemeSettings (Uri Settings)

.NET Framework (current version)
 

Removes a scheme setting for a scheme name.

<configuration>
<uri>
<schemeSettings>
<remove>


      <remove 
   <name = "http|https"/>
/>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute

Description

name

The scheme name for which this setting applies. The only supported values are name="http" and name="https".

Child Elements

None.

Parent Elements

Element

Description

<schemeSettings> Element (Uri Settings)

Specifies how a Uri will be parsed for specific schemes.

By default, the System.Uri class un-escapes percent encoded path delimiters before executing path compression. This was implemented as a security mechanism against attacks like the following:

http://www.contoso.com/..%2F..%2F/Windows/System32/cmd.exe?/c+dir+c:\

If this URI gets passed down to modules not handling percent encoded characters correctly, it could result in the following command being executed by the server:

c:\Windows\System32\cmd.exe /c dir c:\

For this reason, System.Uri class first un-escapes path delimiters and then applies path compression. The result of passing the malicious URL above to System.Uri class constructor results in the following URI:

http://www.microsoft.com/Windows/System32/cmd.exe?/c+dir+c:\

This default behavior can be modified to not un-escape percent encoded path delimiters using the schemeSettings configuration option for a specific scheme.

This element can be used in the application configuration file or the machine configuration file (Machine.config).

Example

The following code example shows a configuration used by the Uri class that removes any scheme settings for the http scheme.

<configuration>
  <uri>
    <schemeSettings>
      <remove name="http"/>
    </schemeSettings>
  </uri>
</configuration>
Show:
© 2016 Microsoft