Deleting an Azure Blob in MVC 3

Question

I'm trying to delete blobs in an mvc 3 application that uses azure storage.

I'm trying to pass the Uri of the blob which will be deleted to the controller, however an error is thrown:

A potentially dangerous Request.Path value was detected from the client (:)

I think this is from the https: part of the Uri and I need to parse it out, however I'm not sure how to do that. I'm wondering how to fix this error.

Is there a more graceful way to delete a blob from storage?

Search for that string ("A potentially dangerous Request.Path value was detected")... those search results should help. As to your second question, I don't follow. Maybe you can provide more about how you're doing the deletion and where you see room for improvement? — user94559, Jul 19 '11 at 01:20
Haha, seems I beat you to the punch on that one. As with all questions, Google is the first source of answers.. I come here after I lose the will to keep on going. I tried some of the suggestions, one of the common one was a [ValidateInput(false)] attribute, however this did not work. Any other suggestions? As for the second question, I'm wondering if there is a way to go about deleting that's more in line with MVC? I have a view with a list of Blobs, when someone clicks a delete link, it sends the Blob's Uri back to the Controller (or it's suppose to.) I don't really care how it's deleted. — James, Jul 19 '11 at 05:35

score 1 · Answer 1 · answered Jul 19 '11 at 05:28

1

You must properly URL encode your urls. Here's an example of a badly encoded url:

http://foo.com/controller/action?param=http://bar.com

Here's how it should look like:

http://foo.com/controller/action?param=http%3A%2F%2Fbar.com

Or maybe you are having an url of the form:

http://foo.com/controller/action/https://bar.com

which is even worse. If you want to use special characters in the Path portion of an URL you might find the following blog post useful.

answered Jul 19 '11 at 05:28

Darin Dimitrov

960,118
257
3,196
2,876

After reviewing the blog post it seems like a bad idea to be passing blob uri's around, is this true? Or is the blob the exception in this case? – James Jul 19 '11 at 17:59
@James, yes it is bad practice. – Darin Dimitrov Jul 19 '11 at 18:02

score 1 · Answer 2 · edited May 23 '17 at 12:26

1

If you want unsecure content to get through then you can add [ValidateInput(false)] to your action - however, this is opening up something that is there for your security - so only do this if you are sure you're code is secure - see first answer in A potentially dangerous Request.Form value was detected from the client

edited May 23 '17 at 12:26

Community

1
1

answered Jul 19 '11 at 05:29

Stuart

65,726
7
109
161

score 0 · Accepted Answer · answered Jul 19 '11 at 19:25

I was able to fix it and I want to summarize the solution, since it requires bit from the other two answers and bits mostly from the Scott Hanselman Blog post.

You need to do a few things to make this work:

Put the [ValidateInput(false)] on your action method.
Make sure your Url is properly encoded (an example is given in the above post) which is done when you use the blobVariableName.Uri.AbsoluteUri as the string to pass from your view to your controller, so you shouldn't have to do anything there.
Make your query string looks like http://site/controller/action?blobid=http%3A%2F%2F... and NOT http://site/controller/action/http%3A%2F%2F... the latter won't work!

On a side note, since I started, our functional requirements changed and now were storing information about each blob in the database, which allows me to pass parameters other than the blob's uri, which seems like a much safer way to play it.

A great deal of the community appears to be in agreement that it is a bad idea to pass uri's and to open up your application as to allow you to do so.

Deleting an Azure Blob in MVC 3

3 Answers3