Welcome to WebmasterWorld Guest from 54.144.243.34

Forum Moderators: ocean10000

IIS7 and entities in URL

   
2:38 pm on Nov 25, 2012 (gmt 0)

10+ Year Member



On IIS7 is there a way for the server to decode entities found in a URL automatically?

For example some people have linked to my site like so:

http%3A%2F%2Fwww.mysite.com%2Findex.php%3Fpage%3Dtest

when it should be

[mysite.com...]

The slashes seem to get decoded fine but the question mark and equals does not.

How do I fix this?

Also is there a security reason behind not decoded the ? and = entities?

Thanks
3:34 am on Nov 26, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



according to protocol, all unencoding should be delayed until the context in which that part of the URL is relevant.

therefore the browser will decode until it finds the 3rd slash since the browser needs the scheme, hostname and optionally the port before it can make a connection and request the rest of the URL.
9:15 am on Nov 26, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



this is the reference i was looking for.
http://www.ietf.org/rfc/rfc3986.txt [ietf.org]:
2.4. When to Encode or Decode
...
When a URI is dereferenced, the components and subcomponents significant to the scheme-specific dereferencing process (if any) must be parsed and separated before the percent-encoded octets within those components can be safely decoded, as otherwise the data may be mistaken for component delimiters. The only exception is for percent-encoded octets corresponding to characters in the unreserved set, which can be decoded at any time.



while i explained why part of the url was decoded, i didn't get around to answering your question.

i'm pretty sure you can only solve this with a redirect.
this is discussed in an apache context in this WebmasterWorld thread - Question about %3F and %3D embedded in inbound links - Apache Web Server forum:
http://www.webmasterworld.com/apache/4138119.htm [webmasterworld.com]

perhaps there is another place in the IIS request processing pipeline where you can fix this.

however if index.php is your default directory index document you should be 301 redirecting that request anyway to:
http://www.example.com/?page=test

what happens when you request the following?
http://www.example.com/?page%3Dtest
2:23 pm on Nov 26, 2012 (gmt 0)

10+ Year Member



what happens when you request the following?
http://www.example.com/?page%3Dtest


It does a redirect. Now I just have to get rewriting to work to make it useful :-)

Thanks for the Apache Web Server Forum page I had missed that in my searches. I am not to familiar with either Apache or IIS rewrite rules. I see that IIS7 has an import tool for Apache mod_rewrite Rules. I will try that and report back if I have had any success in getting it to work.
5:35 pm on Nov 26, 2012 (gmt 0)

10+ Year Member



Well the import failed of:


# If THE_REQUEST contains a URL-path with a percent-encoded "?" and/or a query string with one
# or more specific percent-encoded characters, and we're not already in the process of fixing
# it, then copy the client-requested URL-path-plus-query-string into the "MyURI" variable.
RewriteCond %{ENV:MyURI}>%{THE_REQUEST} ^>[A-Z]+\ /([^\ ]+)\ HTTP/
RewriteCond %1 ^([^?]*\?([^%]*(\%(25)*([^3].|.[^D]))*)*\%(25)*3D.*)$ [NC,OR]
RewriteCond %1 ^([^?]*\?([^%]*(\%(25)*([^2].|.[^6]))*)*\%(25)*26.*)$ [OR]
RewriteCond %1 ^(([^%]*(\%(25)*([^3].|.[^F]))*)*\%(25)*3F.*)$ [NC]
RewriteRule ^. - [NE,E=MyURI:%1]
#
# If any encoded question mark is present in the client-requested URI, and
# no unencoded question mark is present, replace the first encoded question
# mark, queue up a redirect, and then re-start mod_rewrite processing
RewriteCond %{ENV:MyURI} ^[^?]+$
RewriteCond %{ENV:MyURI} ^(([^%]*(\%(25)*([^3].|.[^F]))*)*)\%(25)*3F(.*)$ [NC]
RewriteRule ^. - [NE,E=MyURI:%1?%7,E=QRedir:Yes,N]
#
# If any encoded "=" sign follows the "?", replace it, queue
# up a redirect, and re-start mod_rewrite processing
RewriteCond %{ENV:MyURI} ^([^?]*\?([^%]*(\%(25)*([^3].|.[^D]))*)*)\%(25)*3D(.*)$ [NC]
RewriteRule ^. - [NE,E=MyURI:%1=%7,E=QRedir:Yes,N]
#
# If any encoded ampersand follows the "?", replace it, queue
# up a redirect, and then re-start mod_rewrite processing
RewriteCond %{ENV:MyURI} ^([^?]*\?([^%]*(\%(25)*([^2].|.[^6]))*)*)\%(25)*26(.*)$
RewriteRule ^. - [NE,E=MyURI:%1&%7,E=QRedir:Yes,N]
#
# If we get here, there are no more percent-encoded characters which can
# and should be replaced by the rules above, so do the external redirect
RewriteCond %{ENV:QRedir} =Yes [NC]
RewriteRule ^. http://www.example.com/%{ENV:MyURI} [NE,R=301,L]


None of the rules converted due to the contorl flow flags (C, S, N) are not supported.

Can anyone convert this for me?

Or does someone have something else that works in IIS7 to solve this problem?
12:51 am on Nov 27, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



what happens when you request the following?
http://www.example.com/?page%3Dtest

It does a redirect.


what does it redirect to?


do you have any ampersands, encoded or not, in the query string or is it always the simple case of a single "parameter%3Dvalue"?
if you don't have to loop, remove the [N] flags.
then you can just drop through to the subsequent rulesets.
also remove the ampersand ruleset.

assuming you edited www.example.com to your canonical hostname...
=8)
1:34 am on Nov 29, 2012 (gmt 0)

10+ Year Member



Okay I have narrowed things down a bit. Apparentyly IIS automatically converts the entities. Looking at the detailed error report the requested url displayed is correct (it got converted properly). The module reporting the error is IIS Web Core and the Notification is the MapRequestHandler and the Handler is StaticFile.

So for some reason it looks like when there are entities in the url after the conversion the php handler mapping is skipped and it goes straight to the staticfile handler. IIS is not recognizing the php file extension for some reason and doesn't use the correct mapping and I have no idea why...
8:53 am on Nov 29, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



just to clarify - is it converting all the entities through the query string or just up through the question mark?


are you saying php processing works when there's no encoding in the query string?


have you gone through this or a similar process?
(haven't read it all so it may be irrelevant.)

PHP: Microsoft IIS 7.0 and later - Manual:
http://php.net/manual/en/install.windows.iis7.php [php.net]
2:27 pm on Nov 29, 2012 (gmt 0)

10+ Year Member



just to clarify - is it converting all the entities through the query string or just up through the question mark?


All entries.


are you saying php processing works when there's no encoding in the query string?


Yes.

I also have reviewed the php install several times and everything is set as it should be (at least according to php.net)
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month