GETting a URL with an url-encoded slash

Question

I want to send a HTTP GET to http://example.com/%2F. My first guess would be something like this:

using (WebClient webClient = new WebClient())
{
  webClient.DownloadData("http://example.com/%2F");
}

Unfortunately, I can see that what is actually sent on the wire is:

GET // HTTP/1.1
Host: example.com
Connection: Keep-Alive

So http://example.com/%2F gets translated into http://example.com// before transmitting it.

Is there a way to actually send this GET-request?

The OCSP-protocol mandates sending the url-encoding of a base-64-encoding when using OCSP over HTTP/GET, so it is necessary to send an actual %2F rather than an '/' to be compliant.

EDIT:

Here is the relevant part of the OCSP protocol standard (RFC 2560 Appendix A.1.1):

An OCSP request using the GET method is constructed as follows:

GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest}

I am very open to other readings of this, but I cannot see what else could be meant.

Sounds like a bug in the OCSP protocol to me (or, alternatively, a misinterpretation of it). — Julian Reschke, Apr 23 '09 at 11:38
@knocte: It has been reported and fixed. See Bradley Gaingers answer. — Rasmus Faber, Oct 31 '12 at 19:59
actually, either the link is broken, or the bug report is private :( — knocte, Oct 31 '12 at 20:43
http://stackoverflow.com/a/18511985/420849 — for similar problem in Power Shell — Boo, Aug 29 '13 at 13:14

Rasmus Faber · Answer 1 · 2012-06-04T10:10:10.677

52

This is a terrible hack, bound to be incompatible with future versions of the framework and so on.

But it works!

(on my machine...)

Uri uri = new Uri("http://example.com/%2F");
ForceCanonicalPathAndQuery(uri);
using (WebClient webClient = new WebClient())
{
  webClient.DownloadData(uri);
}

void ForceCanonicalPathAndQuery(Uri uri){
  string paq = uri.PathAndQuery; // need to access PathAndQuery
  FieldInfo flagsFieldInfo = typeof(Uri).GetField("m_Flags", BindingFlags.Instance | BindingFlags.NonPublic);
  ulong flags = (ulong) flagsFieldInfo.GetValue(uri);
  flags &= ~((ulong) 0x30); // Flags.PathNotCanonical|Flags.QueryNotCanonical
  flagsFieldInfo.SetValue(uri, flags);
}

edited Jun 04 '12 at 10:10

answered Apr 24 '09 at 08:15

Rasmus Faber

48,631
24
141
189

+1. Perfect! I needed this to get the Google Webmaster Tools API to work. – David Jan 07 '10 at 21:23
1

works indeed. I wonder what the reason is for them not allowing the 'dontEscape' parameter? – Patrick Klug Jul 09 '10 at 04:20
2

For the love of Atwood this answer saved me hours. Thanks! – Matt Sherman Apr 21 '11 at 23:46
Why for the love of baby jesus isn't this the default behavior of WebClient? Thank you for this solution Rasmus. – Rafe Jun 05 '12 at 13:06
The above solution does not work in a shared server environment with medium trust. Is there any other way to do this without reflection? - Jerry Hogsett – jhogsett Aug 29 '12 at 00:58
1

@user1473484: Yes, you can work around this by changing your app.config; see my answer to a similar question here: http://stackoverflow.com/a/10415482 – Bradley Grainger Aug 29 '12 at 02:29
Rasmus, I just went and created a library for .NET and Mono to address this. I used your approach for the .NET version. It's here: https://github.com/glennblock/PUrify/blob/master/README.md. I've added your name in the credits, if you have concerns let me know. – Glenn Block Dec 25 '13 at 19:30
Thanks for this. Best solution to this problem that I've found. – Niels Bosma Feb 10 '15 at 05:48
This is great! But do you have a solution for preventing "%2B" escaping into "+"? I want tried this but it doesn't work for "%2B"... – Ninja Jul 30 '19 at 18:01
1

To get this to work under .Net Standard (and possibly recent versions of .Net Framework) you will need to add `flags &= ~((ulong)0xC30);` and change `m_Flags` to `_flags` – Michael Brown Oct 13 '19 at 05:17

score 31 · Accepted Answer · edited Oct 07 '21 at 05:46

By default, the Uri class will not allow an escaped / character (%2f) in a URI (even though this appears to be legal in my reading of RFC 3986).

Uri uri = new Uri("http://example.com/%2F");
Console.WriteLine(uri.AbsoluteUri); // prints: http://example.com//

(Note: don't use Uri.ToString to print URIs.)

According to the bug report for this issue on Microsoft Connect, this behaviour is by design, but you can work around it by adding the following to your app.config or web.config file:

<uri>
  <schemeSettings>
    <add name="http" genericUriParserOptions="DontUnescapePathDotsAndSlashes" />
  </schemeSettings>
</uri>

(Reposted from https://stackoverflow.com/a/10415482 because this is the "official" way to avoid this bug without using reflection to modify private fields.)

Edit: The Connect bug report is no longer visible, but the documentation for <schemeSettings> recommends this approach to allow escaped / characters in URIs. Note (as per that article) that there may be security implications for components that don't handle escaped slashes correctly.

Be sure to use name="https" if the URL you are calling is HTTPS. — r590, Jun 21 '17 at 21:41

score 13 · Answer 3 · edited May 23 '17 at 12:10

Update on this: It looks like the default behavior of the Uri class was actually changed in .NET 4.5, and you can now use escaped slashes and they will not be touched.

I ran the following code in .NET 3.5, .NET 4.0, .NET 4.5/4.5.1

static void Main(string[] args)
{
    var uri = new Uri("http://www.yahooo.com/%2F");
    var client = new WebClient();
    client.DownloadString(uri);
}

In .NET 3.5/4.0 the trace shows that the %2F was in fact unescaped as expected.

Fiddler trace

However, In .NET 4.5/4.5.1 you can see the %2F was not unescaped (notice the GET /%2F)

Fiddler trace

You can even use ToString() now on the Uri and you'll get the same result.

So in conclusion, it appears if you are using .NET >= .NET 4.5 then things will behave as they should inline with the RFC.

I just did an exploration of trying to get the same approach working on Mono. I posted my question on the approach here: Getting a Uri with escaped slashes on mono

I would like to add, that the change only takes effect when changing the "Target Framework" in Visual Studio to .NET 4.5. Just having .NET 4.5 installed on the machine will not change the behaviour. — aKzenT, Mar 11 '14 at 12:45

score 0 · Answer 4 · answered Oct 13 '19 at 05:18

As mentioned in my comment on the answer posted by Ramus, the following is required for .Net Standard (and possibly later versions of .Net Framework) to get this hack working:

Uri uri = new Uri("http://example.com/%2F");
ForceCanonicalPathAndQuery(uri);
using (WebClient webClient = new WebClient())
{
  webClient.DownloadData(uri);
}

void ForceCanonicalPathAndQuery(Uri uri){
  string paq = uri.PathAndQuery; // need to access PathAndQuery
  FieldInfo flagsFieldInfo = typeof(Uri).GetField("_flags", BindingFlags.Instance | BindingFlags.NonPublic);
  ulong flags = (ulong) flagsFieldInfo.GetValue(uri);
  flags &= ~((ulong) 0xC30); // Flags.PathNotCanonical|Flags.QueryNotCanonical
  flagsFieldInfo.SetValue(uri, flags);
}

score -7 · Answer 5 · answered Apr 23 '09 at 10:55

-7

Double encode it : %252F

But also if you use HttpWebRequest you can actually tell not to encode the URL, either way it should work.

Also If WebClient accepts URI then you can create a new URI and you can set it to not encode.

answered Apr 23 '09 at 10:55

dr. evil

26,944
33
131
201

1

If I try to get http://example.com/%252F, it actually sends GET /%252F, so that does not work. The URI-constructor with dontEscape is deprecated since 2.0 and according to the documentation, the dontEscape-parameter is ignored. Was that what you meant about using HttpWebRequest? – Rasmus Faber Apr 23 '09 at 11:16
Check if the problem is in URI constructor? or the actual sending process? this can help to diagnose to exact problem. – dr. evil Apr 23 '09 at 12:02

GETting a URL with an url-encoded slash

5 Answers5

Linked

Related