HttpClient will Encode the url internally

Question

Here is my link:

58.87.64.22/?{{%25}}cake\=1

When I open it in Chrome, it will give me 400 status code which is correct.

But When I open it using HTTP client, it will return 200 status code:

HttpClient client = new HttpClient();
var w = await client.GetAsync("http://58.87.64.22/?{{%25}}cake\\=1");

it seems HTTP client will encode the URL into this:

58.87.64.22/?%7B%7B%25%7D%7Dcake%5C=1

when I test the encoded URL in Chrome, it will open a webpage and will return 200 status code.

How to solve such a thing? I need to get 400 status code when sending request to this URL.

You need to send an invalid request? What's your use case, automated testing? — Etienne de Martel, Aug 12 '23 at 18:28
This is because HttpClient uses Uri, you can try it for yourself by creating a new Uri — T. Dominik, Aug 22 '23 at 13:18
@T.Dominik please guide me on how to create a URI that skips encoding. — Inside Man, Aug 22 '23 at 13:24
You can try something like this, but it's obsolete: new Uri(new Uri("http://58.87.64.22/"), "?{{%25}}cake\\=1", true); ....and then pass Uri to GetAsync instead of string. — T. Dominik, Aug 22 '23 at 13:26
@InsideMan you could use `Uri.TryCreate` before the `GetAsync` — Julian, Aug 22 '23 at 13:46
@Julian `TryCreate` is for validating, I need to skip encoding. — Inside Man, Aug 22 '23 at 13:48
@InsideMan you could disable the percent-encoding with the [config](https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/network/schemesettings-element-uri-settings?redirectedfrom=MSDN#example) — Julian, Aug 22 '23 at 13:52
@Julian thank you man, but I'm using the Uri inside the `HttpClient` — Inside Man, Aug 22 '23 at 13:53
@InsideMan yes but you could generate the Uri with the config (which won't use percent-encoding) and provide it in `GetAsync` ... it won't encode the uri again, would it? — Julian, Aug 22 '23 at 13:55
@Julian how to use such an XML configuration in a dll library project? — Inside Man, Aug 22 '23 at 14:02
This works: `new Uri(new Uri("http://58.87.64.22/"), "?{{%25}}cake\\=1", true);` and gives 400 status. @T.Dominik just didn't specify the "http://" part of Uri, hence the Invalid URI exception — Legkov Ivan, Aug 22 '23 at 14:44
@LegkovIvan stackoverflow automatically converts it to the actual link...eh — T. Dominik, Aug 22 '23 at 16:36
@InsideMan you may want to look at [this](https://stackoverflow.com/a/76942781/16871250) answer — Julian, Aug 23 '23 at 05:52

pfx · Accepted Answer · 2023-08-22T21:01:10.483

Pass a Uri object instantiated via the overload having a UriCreationOptions argument with DangerousDisablePathAndQueryCanonicalization set to true.

Gets or sets a value that indicates whether the path and query are validated and normalized.
true to disable path and query validation; false to enable it.

var options = new UriCreationOptions 
{
    DangerousDisablePathAndQueryCanonicalization = true
};
var uri = new Uri(@"http://58.87.64.22/?{{%25}}cake\=1", options);

HttpClient client = new HttpClient();
await client.GetAsync(uri);

Fiddler shows that below request is being made without any encoding.

GET http://58.87.64.22/?{{%25}}cake\=1 HTTP/1.1
Host: 58.87.64.22

Resulting in a Bad Request HTTP status code.

HTTP/1.1 400

thank you man, it works like a charm. Great Hint. – Inside Man Aug 23 '23 at 14:46 — Inside Man, Aug 23 '23 at 14:46

HttpClient will Encode the url internally

1 Answers1