[转帖]IIS有这么一个限制,不允许有冒号

<P>[转帖]http://blog.joycode.com/</P>
<P>我昨天发现IIS有这么一个限制：IIS不允许request url的路径里有冒号（colon, " : " ），一旦request url的路径里有冒号，IIS直接400 Bad Request。这个真是迭迭怪事，最后我在网上还真搜到了解释：</P>
<P>IIS does not permit colons in the URL. This is because the NTFS file system<br>considers a colon to be a special character that's used to denote alternate<br>streams within a file. If your example URL below were handled by the static<br>file handler in IIS, it would attemps to open the stream called "blah"<br>within a file called "blah" in the "script.cfm" directory under wwwroot.</P>
<P>More specifically, without this limitation, if a client were to request<br><a href="http://www.example.com/script.cfm::$data" target="_blank" >http://www.example.com/script.cfm::$data</A>, then the contents of the<br>script.cfm file would get sent to the client instead of invoking ColdFusion <<a href="http://forums.devshed.com/" target="_blank" >http://forums.devshed.com/</A>> <br>to process script.cfm.</P>
<P>If you want to prevent IIS from parsing your data, then put it either in the<br>query string or the entity body. A colon would be allowed in either of<br>those places.</P>
<P>Thank you,<br>-Wade A. Hilmo,<br>-Microsoft</P>
<P>大意是说因为NTFS文件系统的一个限制，所以IIS不接受request url path里的冒号，如果一定要用冒号，请放到query string里（就是问号?后面跟的东西）或者用request content body。回答的Wade Hilmo现在是IIS的Dev Lead。</P>
<P>我真的觉得悲哀，因为NTFS文件系统的一个潜在的安全漏洞，IIS居然可以做出违反RFC的事情来。RFC 1738明确说：</P>
<P>httpurl        = "http://" hostport [ "/" hpath [ "?" search ]]<br>hpath          = hsegment *[ "/" hsegment ]<br>hsegment       = *[ uchar | ";" | ":" | "@" | ";" | "=" ]</P>
<P>冒号完全是合法的url字符。</P>
<P>一个是文件系统，一个是web服务器，风马牛不相及的东西居然也能这么剪不断理还乱，我彻底败了。</P>
<P>就因为这一个小小的限制，我们需要重新定义我们的协议，然后牵连到我们的Windows Live Partner都要重新定义他们的接口。而且我们还要一直注意这个问题，如果将来onboard的partner在url中用了冒号，我们要想想会不会出问题（就我们所知，确实已经发现有这样潜在的partner在他们的协议中用了冒号）。<br></P>