404 Error When Accessing Confluence Space or Page via IIS
Symptoms
You see a 404 Error Not Found when trying to browse a space or page: "HTTP Error 404.11 - Not Found. The request filtering module is configured to deny a request that contains a double escape sequence."
Cause
By default, IIS7 rejects URLs that contain a double escaping sequence such as '+'. For example, the url http://localhost:8090/display/TT/Test+Test+Startseite will be rejected by IIS7 because it contains a '+' character.
Resolution
Disable the double escape validation in IIS7 by doing the following steps on IIS Manager :
- Stop your website.
- Select your site and click in Request Filtering.
- Then click in Edit Feature Settings:
- Check Allow double escaping and hit OK:
- Start your site on IIS and check if you can reproduce the error again.
With the question of either leaving the '+' in place or converting those characters to spaces, be aware of the possibility that your rule engine may allow access to a non-Admin. For example, let's say an attacker enters http://myserver/my+vdir, and you have a rule looking for "my vdir". Your authorization rule won't match because your authorization code searches for the string "my+vdir" but your rule says "my vdir". As a result your rule won't apply and the attacker gets access.