0

So I have a URL encoded path where the last part of the route is generated with WebUtility.UrlEncode (asp.net core 3.1)

blah/blah/MRgeOkgo8fqRVrQbUawTmtP6DbSN42QTXLqH1064Wl9P1iyi3v9%2F%2BmB36VOcz8WD7qSKoyJ3%2B0mZ874WQxAlptzQo6mylIa%2BN%2BKasrdkFXY0whRafA48UknQtP9BYXkg6QSfDGOxAu8Fl%2F%2Bq%2BIftYw%3D%3D

this is url encoded, so on the code at the path /blah/blah I decode it with WebUtility.UrlDecode to get

MRgeOkgo8fqRVrQbUawTmtP6DbSN42QTXLqH1064Wl9P1iyi3v9/ mB36VOcz8WD7qSKoyJ3 0mZ874WQxAlptzQo6mylIa N KasrdkFXY0whRafA48UknQtP9BYXkg6QSfDGOxAu8Fl/ q IftYw==

(which I then run through another encryption algorithmn to get the data out).

The problem is the URL encoded path generates a 404.11 when passed into IIS. IIS rejects the request because of double escaping. I know how to fix this, just add in

            <security>
                <requestFiltering allowDoubleEscaping="true" />
            </security>

to the web config.

However, I don't know why IIS is generating a 404.11 because the URL looks fine.

What gives?

Stephen Angell
  • 310
  • 2
  • 13
  • 1
    Not that it will solve the problem, but instead of `WebUtility.UrlEncode` you should use `Uri.EscapeDataString` instead: https://stackoverflow.com/questions/3572173/server-urlencode-vs-uri-escapedatastring – Dai Nov 14 '22 at 16:34
  • Have you enabled Failed Request Tracing? Where is your `web.config` file located relative to the IIS Website root? Do you have any IIS virtual-directories or application-scopes defined in the IIS Website? – Dai Nov 14 '22 at 16:35
  • Many thanks for the mention of Uri. over WebUtility. I will make that change and see if it fixes it. Webconfig is in the root. There are a couple of applications within the IIS website (a couple of web apis). I should mention that the webconfig fix works fine, but I don't see why it's needed, as the url looks ok. – Stephen Angell Nov 14 '22 at 16:44
  • 1
    I believe IIS simply looks for any occurrences of `%2` in a request URL and complains it it sees any. I noticed that you're trying to pass a Base64 value - **don't**: Base64 is not suitable for use in URLs, (even when URL-encoded) because Base64 uses the reserved URL characters `/` and `+` - instead [you should use `Base64Url` which uses different, non-URL-reserved characters](https://base64.guru/standards/base64url): "`_`" instead of "`/`" and "`-`" instead of "`+`" - doing so side-steps this issue entirely. – Dai Nov 14 '22 at 16:50

1 Answers1

0

As mentioned by @Dai, I switched to encoding the data to a url part with WebEncoders.Base64UrlEncode (from Microsoft.AspNetCore.WebUtilities) and all good now.

Stephen Angell
  • 310
  • 2
  • 13