1

Some background info: I have a .NET Core 3.1 MVC API web application running as an Azure Web Service. One GET method expects a Base64-encoded string as part of the URL. I do not have full control over the data and so some clients happen to have data whose Base64-encoding contains a double slash. I know that URLs with double slashes are valid, so I cannot blame them either.

Now when I run my code locally in IIS Express, everything works fine. When running this code as an Azure App Service, a double slashes in the URL is reduced to a single slash, which tampers the incoming data. Here is the code of my controller (MWE):

using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("[controller]")]
public class SlashController : ControllerBase
{
    [HttpGet("{*parameter}")]
    public string Get(string parameter)
    {
        return parameter;
    }
}

When I access http://localhost/slash/test//test, it returns test//test, while when I access https://my-mwe-example-website.azurewebsites.net/slash/test//test, it returns test/test.

Furthermore, I can reproduce the erroneous App Service behavior locally by adding the following line to the <PropertyGroup> section of my .csproj file:

<AspNetCoreHostingModel>OutOfProcess</AspNetCoreHostingModel>

Is there any way to find out the original path when the app runs as as Azure App Service Web App?

Edit: URL-encoding doesn't help either. A GET with the path slash/test%2F%2Ftest also returns only test/test.

I tried different settings in Configuration -> General settings, but with no effect. Just as a shot in the dark, I tried:

  • Stack: .NET and .NET Core
  • Managed Pipeline: Integrated and Classic
  • HTTP version: 1.1 and 2.0
  • Web Sockets: On and Off
Froggy
  • 339
  • 2
  • 15
  • If it was base 64 encoded to a slash, it should have been url encoded as well. Why are you not url encoding it? – mjwills Jul 22 '20 at 12:08
  • It's an OCSP implementation and [the RFC](https://tools.ietf.org/html/rfc6960#appendix-A.1) actually says that it should indeed by URL-encoded. The OCSP client that is part of the Windows OS doesn't do it, though, and sends the double slashes. I cannot change the client side. – Froggy Jul 22 '20 at 13:57
  • Furthermore, the URL encoding doesn't help anyway. A GET with the path `slash/test%2F%2Ftest` also returns `test/test` – Froggy Jul 23 '20 at 06:21
  • 4
    Does this answer your question? [ASP.NET MVC removes double forward slashes from request parameters](https://stackoverflow.com/questions/22152500/asp-net-mvc-removes-double-forward-slashes-from-request-parameters) – Daniel Björk Aug 03 '20 at 11:22
  • No, the query string solution caused other problems. My question is also specifically about Azure App Services, which, I admit, I didn't write in the question title so this question looks like a duplicate to the other one. The other question is for MVC without Core, too. For Core, I have a solution, which just doesn't work on Azure App Service. – Froggy Feb 11 '21 at 10:13
  • But although this question has no answer, I removed data from my app that encodes to double slashes, so I have a workaround. – Froggy Feb 11 '21 at 10:16

0 Answers0