homepage Welcome to WebmasterWorld Guest from 23.22.59.252
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

    
IIS7 and entities in URL
JesterMagic

10+ Year Member



 
Msg#: 4522367 posted 2:38 pm on Nov 25, 2012 (gmt 0)

On IIS7 is there a way for the server to decode entities found in a URL automatically?

For example some people have linked to my site like so:

http%3A%2F%2Fwww.mysite.com%2Findex.php%3Fpage%3Dtest

when it should be

[mysite.com...]

The slashes seem to get decoded fine but the question mark and equals does not.

How do I fix this?

Also is there a security reason behind not decoded the ? and = entities?

Thanks

 

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4522367 posted 3:34 am on Nov 26, 2012 (gmt 0)

according to protocol, all unencoding should be delayed until the context in which that part of the URL is relevant.

therefore the browser will decode until it finds the 3rd slash since the browser needs the scheme, hostname and optionally the port before it can make a connection and request the rest of the URL.

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4522367 posted 9:15 am on Nov 26, 2012 (gmt 0)

this is the reference i was looking for.
http://www.ietf.org/rfc/rfc3986.txt [ietf.org]:
2.4. When to Encode or Decode
...
When a URI is dereferenced, the components and subcomponents significant to the scheme-specific dereferencing process (if any) must be parsed and separated before the percent-encoded octets within those components can be safely decoded, as otherwise the data may be mistaken for component delimiters. The only exception is for percent-encoded octets corresponding to characters in the unreserved set, which can be decoded at any time.



while i explained why part of the url was decoded, i didn't get around to answering your question.

i'm pretty sure you can only solve this with a redirect.
this is discussed in an apache context in this WebmasterWorld thread - Question about %3F and %3D embedded in inbound links - Apache Web Server forum:
http://www.webmasterworld.com/apache/4138119.htm [webmasterworld.com]

perhaps there is another place in the IIS request processing pipeline where you can fix this.

however if index.php is your default directory index document you should be 301 redirecting that request anyway to:
http://www.example.com/?page=test

what happens when you request the following?
http://www.example.com/?page%3Dtest

JesterMagic

10+ Year Member



 
Msg#: 4522367 posted 2:23 pm on Nov 26, 2012 (gmt 0)

what happens when you request the following?
http://www.example.com/?page%3Dtest


It does a redirect. Now I just have to get rewriting to work to make it useful :-)

Thanks for the Apache Web Server Forum page I had missed that in my searches. I am not to familiar with either Apache or IIS rewrite rules. I see that IIS7 has an import tool for Apache mod_rewrite Rules. I will try that and report back if I have had any success in getting it to work.

JesterMagic

10+ Year Member



 
Msg#: 4522367 posted 5:35 pm on Nov 26, 2012 (gmt 0)

Well the import failed of:


# If THE_REQUEST contains a URL-path with a percent-encoded "?" and/or a query string with one
# or more specific percent-encoded characters, and we're not already in the process of fixing
# it, then copy the client-requested URL-path-plus-query-string into the "MyURI" variable.
RewriteCond %{ENV:MyURI}>%{THE_REQUEST} ^>[A-Z]+\ /([^\ ]+)\ HTTP/
RewriteCond %1 ^([^?]*\?([^%]*(\%(25)*([^3].|.[^D]))*)*\%(25)*3D.*)$ [NC,OR]
RewriteCond %1 ^([^?]*\?([^%]*(\%(25)*([^2].|.[^6]))*)*\%(25)*26.*)$ [OR]
RewriteCond %1 ^(([^%]*(\%(25)*([^3].|.[^F]))*)*\%(25)*3F.*)$ [NC]
RewriteRule ^. - [NE,E=MyURI:%1]
#
# If any encoded question mark is present in the client-requested URI, and
# no unencoded question mark is present, replace the first encoded question
# mark, queue up a redirect, and then re-start mod_rewrite processing
RewriteCond %{ENV:MyURI} ^[^?]+$
RewriteCond %{ENV:MyURI} ^(([^%]*(\%(25)*([^3].|.[^F]))*)*)\%(25)*3F(.*)$ [NC]
RewriteRule ^. - [NE,E=MyURI:%1?%7,E=QRedir:Yes,N]
#
# If any encoded "=" sign follows the "?", replace it, queue
# up a redirect, and re-start mod_rewrite processing
RewriteCond %{ENV:MyURI} ^([^?]*\?([^%]*(\%(25)*([^3].|.[^D]))*)*)\%(25)*3D(.*)$ [NC]
RewriteRule ^. - [NE,E=MyURI:%1=%7,E=QRedir:Yes,N]
#
# If any encoded ampersand follows the "?", replace it, queue
# up a redirect, and then re-start mod_rewrite processing
RewriteCond %{ENV:MyURI} ^([^?]*\?([^%]*(\%(25)*([^2].|.[^6]))*)*)\%(25)*26(.*)$
RewriteRule ^. - [NE,E=MyURI:%1&%7,E=QRedir:Yes,N]
#
# If we get here, there are no more percent-encoded characters which can
# and should be replaced by the rules above, so do the external redirect
RewriteCond %{ENV:QRedir} =Yes [NC]
RewriteRule ^. http://www.example.com/%{ENV:MyURI} [NE,R=301,L]


None of the rules converted due to the contorl flow flags (C, S, N) are not supported.

Can anyone convert this for me?

Or does someone have something else that works in IIS7 to solve this problem?

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4522367 posted 12:51 am on Nov 27, 2012 (gmt 0)

what happens when you request the following?
http://www.example.com/?page%3Dtest

It does a redirect.


what does it redirect to?


do you have any ampersands, encoded or not, in the query string or is it always the simple case of a single "parameter%3Dvalue"?
if you don't have to loop, remove the [N] flags.
then you can just drop through to the subsequent rulesets.
also remove the ampersand ruleset.

assuming you edited www.example.com to your canonical hostname...
=8)

JesterMagic

10+ Year Member



 
Msg#: 4522367 posted 1:34 am on Nov 29, 2012 (gmt 0)

Okay I have narrowed things down a bit. Apparentyly IIS automatically converts the entities. Looking at the detailed error report the requested url displayed is correct (it got converted properly). The module reporting the error is IIS Web Core and the Notification is the MapRequestHandler and the Handler is StaticFile.

So for some reason it looks like when there are entities in the url after the conversion the php handler mapping is skipped and it goes straight to the staticfile handler. IIS is not recognizing the php file extension for some reason and doesn't use the correct mapping and I have no idea why...

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4522367 posted 8:53 am on Nov 29, 2012 (gmt 0)

just to clarify - is it converting all the entities through the query string or just up through the question mark?


are you saying php processing works when there's no encoding in the query string?


have you gone through this or a similar process?
(haven't read it all so it may be irrelevant.)

PHP: Microsoft IIS 7.0 and later - Manual:
http://php.net/manual/en/install.windows.iis7.php [php.net]

JesterMagic

10+ Year Member



 
Msg#: 4522367 posted 2:27 pm on Nov 29, 2012 (gmt 0)

just to clarify - is it converting all the entities through the query string or just up through the question mark?


All entries.


are you saying php processing works when there's no encoding in the query string?


Yes.

I also have reviewed the php install several times and everything is set as it should be (at least according to php.net)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved