views:

468

answers:

2

When i visit http://localhost:17357/u/a%2fa/m/ssd-10 and look at HttpContext.Current.Request.Url in Application_BeginRequest i see http://localhost:17357/u/a/a/m/ssd-10 huh? shouldnt i get http://localhost:17357/u/a%2fa/m/ssd-10? i thought the point of escaping urls is so ?, &, / and other special symbols not be confused with their special meaning in urls. Maybe theres a config i need to tweak?


I created 4 usernames, there are

a?@!&ee
a?@!/&ee
as d
クイン

with the links as

<a href="/u/a%3f%40%21%26ee">a?@!&amp;ee</a><br>
<a href="/u/a%3f%40%21%2f%26ee">a?@!/&amp;ee</a><br>
<a href="/u/as%20d">as d</a><br>
<a href="/u/%ef%bd%b8%ef%bd%b2%ef%be%9d">クイン</a>

The last two work, but the first two i get the exceptio

A first chance exception of type 'System.ArgumentException' occurred in mscorlib.dll

Additional information: Illegal characters in path.

then

A first chance exception of type 'System.Web.HttpException' occurred in System.Web.dll

Additional information: '/u/a?@!&ee' is not a valid virtual path.

and my page says Bad Request. How can i allow these usernames to work. If its impossible how can i write a workaround?

+4  A: 

You need to escape it again. Use %252f instead of %2f. To clarify, the URL is unencoded when the server receives it. URL encoding allows you to pass in a / that the server processes as a character instead of the special function that a reserved character would normally trigger. See the Wikipedia page for more info.

Concerning your error with the a?@!&ee username, it seems almost certain that you're running into a problem that ASP.NET has with special characters (even urlencoded properly) that are not in the query string (that is, after the ? part of the URL). Joshua Flanagan talks about it in a blog post, and identifies %, &, *, and : as the problematic characters.

He points to a Dirk.Net blog post that offers a couple of fixes. First, you can edit the registry to allow restricted characters (adding a DWORD key AllowRestrictedChars to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters and setting its boolean value to true). Or, you can ensure that you have the .NET framework 1.1 SP1 and edit the registry to set ASP.NET VErification Compatibility to true (DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET VerificationCompatibility = 1). Third, you can try setting ValidateRequest to false on the ASPX page. Finally, as Joshua decided to do, you can pass the information using the query string, i.e. after the ? as ASP.Net originally (pre MVC) expected.

jball
good answer. do you know of any other chars i need to escape twice?
acidzombie24
Percent-encoding the percent (i.e. using `%25` instead of `%`) should cover all the cases. You can chain it as many times as you like, if a URL is going to be passed around a lot, for example `%252525252f` is escaped 5 times (4 `25`s and the original escaped `%2f`.
jball
hey `%252f` gets me a bad request.
acidzombie24
Is there a specific error associated with it?
jball
I just did a test, and I'm able to hyperlink to a file in a folder named `sdlk%252fsd` with `href="/sdlk%252fsd/test.txt"`, so I think you're probably running into a different problem if `%252f` is breaking the request.
jball
I am using 3.5. I added both to the registry (dword, i double checked both again now) and `validateRequest` (lower v) has already be set to allow `unsafe` POST data. Still no luck :(
acidzombie24
What OS are you running it on (name and 32/64 bit), and what version of IIS (version number and 32/64 bit)?
jball
Thats probably the reason, i thought it was a .NET config (from the first link) then IIS. I am using MSVS built in web server. I would like to use IIS8 but i am long from completing development and dont have a server nor access to one.
acidzombie24
A: 

I wrote my own solution. Its nice to have a username with / but not consider as / when getting a GET request.

acidzombie24