2

Scott Hanselman's post on using wacky chars in a Request URL, explains how IIS and ASP.Net security features can be circumvented to allow invalid characters to be passed on in a URL... but I am sure stack exchange is doing it different as his methodology would leave the site wide open to nasty attacks and bugs.

StackExchange has links to tags, like C# that are sent to the web server in a GET request encoded, like this:

// C#
http://stackoverflow.com/questions/tagged/c%23

// C++
http://stackoverflow.com/questions/tagged/c%2b%2b

The trick is... they are sent as request path values (ex. route parameters), not as values in a query string...

If you see Hanselman's article, he suggests it is only possible by turning off several other security features beyond RequestValidation (the later allows encoded chars in a query string portion of a URL).

Questions

  1. How does StackExchange accomplish this?

  2. If it is done the same way Hanselman illustrates in his blog, what extra steps do they take to protect themselves?

one.beat.consumer
  • 9,414
  • 11
  • 55
  • 98
  • When I'm over the tag, I see `c%23` not `c#` where did you look? – gdoron Feb 09 '12 at 18:55
  • That's likely beside the point as well, in that the question here is how they went about allowing the funky chars in an MVC route (`tagged/{tag}` where tag is passed in `Get` as `C%23`). Did they turn everything off? I doubt they left themselves wide open – one.beat.consumer Feb 09 '12 at 19:01
  • @one.beat.consumer: Do you have a better example? The URI is definitely `c%23`. Your browser would parse `c#` as the empty anchor (`#`) on the URI `/c`. The `#` would never even be sent to the web server. – Edward Thomson Feb 09 '12 at 19:04
  • 1
    @one.beat.consumer: are you suggesting that SO is putting `#` in a link somewhere sort of magically, but only sometimes, and that your browser isn't just displaying `#` in a tooltip to be nice? Otherwise, I really don't understand what you're trying to ask. – Edward Thomson Feb 09 '12 at 19:20
  • 1
    I don't know, why not just URL encode them? – BoltClock Feb 09 '12 at 19:25
  • @BoltClock Encoding the URL is expected, I already pointed out that is being done. However, turning off ASP.Net's RequestValidation only allows the passing of encoded values in the query string, not in the "request path" such as a route parameter... which is what StackExchange is doing. – one.beat.consumer Feb 09 '12 at 19:48
  • @EdwardThomson The URL is encoded; well understood. `#` is not in the URI requested. However the encoded value is in the URI, which is not allowed at the server, even with RequestValidation off. What I am asking is (1) did they turn off the additional features Hanselman suggests? and (2) if so, what did they do to protect themselves? – one.beat.consumer Feb 09 '12 at 19:51
  • 1
    @one.beat.consumer: gotcha. Sorry, the tooltip display comment kept throwing me for a loop in parsing your question. The edit is (at least to me) much clearer. – Edward Thomson Feb 09 '12 at 20:21
  • Thank you Edward. I don't know what my problem is but I'll think I'm super clear and then get downvoted out the house. :) I appreciate it. – one.beat.consumer Feb 09 '12 at 20:34

1 Answers1

1

They don't accept just any character. They use slugs.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • I know. But a slug value sent as a route parameter is still not allowed by just turning off RequestValidation, it is not the same as a querystring. The article I linked was to illustrate this for people, but it seems no one has read it. – one.beat.consumer Feb 09 '12 at 20:13
  • 1
    @one.beat.consumer, you will need to follow Scott Hanselman's article in order to configure your site to accept % character. Depending on the ASP.NET version and web server version you are targeting there are different approaches. If you don't allow this character in your config you cannot possibly expect to find it in the path portion of an url. So 2 possibilities: modify your web.config to allow the characters you want in the path or use query string parameters. – Darin Dimitrov Feb 09 '12 at 20:18
  • I think we're on the same page at least. Can you spare 5 minutes in chat? - The room is http://chat.stackoverflow.com/rooms/7506/invalid-characters-in-mvc-routes – one.beat.consumer Feb 09 '12 at 20:33