pdavis
pdavis

Reputation: 3211

QueryString malformed after URLDecode

I'm trying to pass in a Base64 string into a C#.Net web application via the QueryString. When the string arrives the "+" (plus) sign is being replaced by a space. It appears that the automatic URLDecode process is doing this. I have no control over what is being passed via the QueryString. Is there any way to handle this server side?

Example:

http://localhost:3399/Base64.aspx?VLTrap=VkxUcmFwIHNldCB0byAiRkRTQT8+PE0iIHBsdXMgb3IgbWludXMgNSBwZXJjZW50Lg==

Produces:

VkxUcmFwIHNldCB0byAiRkRTQT8 PE0iIHBsdXMgb3IgbWludXMgNSBwZXJjZW50Lg==

People have suggested URLEncoding the querystring:

System.Web.HttpUtility.UrlEncode(yourString) 

I can't do that as I have no control over the calling routine (which is working fine with other languages).

There was also the suggestion of replacing spaces with a plus sign:

Request.QueryString["VLTrap"].Replace(" ", "+");

I had though of this but my concern with it, and I should have mentioned this to start, is that I don't know what other characters might be malformed in addition to the plus sign.

My main goal is to intercept the QueryString before it is run through the decoder.

To this end I tried looking at Request.QueryString.toString() but this contained the same malformed information. Is there any way to look at the raw QueryString before it is URLDecoded?

After further testing it appears that .Net expects everything coming in from the QuerString to be URL encoded but the browser does not automatically URL encode GET requests.

Upvotes: 15

Views: 34114

Answers (11)

Jacob VanScoy
Jacob VanScoy

Reputation: 1168

If you use System.Uri.UnescapeDataString(yourString) it will ignore the +. This method should only be used in cases like yours where when the string was encoded using some sort of legacy approach either on the client or server.

See this blog post: http://blogs.msdn.com/b/yangxind/archive/2006/11/09/don-t-use-net-system-uri-unescapedatastring-in-url-decoding.aspx

Upvotes: 2

Roman Lazunin
Roman Lazunin

Reputation: 131

I had similar problem with a parameter that contains Base64 value and when it comes with '+'. Only Request.QueryString["VLTrap"].Replace(" ", "+"); worked fine for me; no UrlEncode or other encoding helping because even if you show encoded link on page yourself with '+' encoded as a '%2b' then it's browser that changes it to '+' at first when it showen and when you click it then browser changes it to empty space. So no way to control it as original poster says even if you show links yourself. The same thing with such links even in html emails.

Upvotes: 2

Oaresome
Oaresome

Reputation: 41

I'm having this exact same issue except I have control over my URL. Even with Server.URLDecode and Server.URLEncode it doesn't convert it back to a + sign, even though my query string looks as follows:

http://localhost/childapp/default.aspx?TokenID=0XU%2fKUTLau%2bnSWR7%2b5Z7DbZrhKZMyeqStyTPonw1OdI%3d

When I perform the following.

string tokenID = Server.UrlDecode(Request.QueryString["TokenID"]);

it still does not convert the %2b back into a + sign. Instead I have to do the following:

string tokenID = Server.UrlDecode(Request.QueryString["TokenID"]);
tokenID = tokenID.Replace(" ", "+");

Then it works correctly. Really odd.

Upvotes: 4

Tim Farley
Tim Farley

Reputation: 11950

The suggested solution:

Request.QueryString["VLTrap"].Replace(" ", "+");

Should work just fine. As for your concern:

I had though of this but my concern with it, and I should have mentioned this to start, is that I don't know what other characters might be malformed in addition to the plus sign.

This is easy to alleviate by reading about base64. The only non alphanumeric characters that are legal in modern base64 are "/", "+" and "=" (which is only used for padding).

Of those, "+" is the only one that has special meaning as an escaped representation in URLs. While the other two have special meaning in URLs (path delimiter and query string separator), they shouldn't pose a problem.

So I think you should be OK.

Upvotes: 14

Jason Bunting
Jason Bunting

Reputation: 58961

Can't you just assume a space is a + and replace it?

Request.QueryString["VLTrap"].Replace(" ", "+");

;)

Upvotes: 0

Alexander
Alexander

Reputation: 9370

As a quick hack you could replace space with plus character before base64-decoding.

Upvotes: 1

henriksen
henriksen

Reputation: 1147

System.Web.HttpUtility.UrlEncode(yourString) will do the trick.

Upvotes: 1

Troels Thomsen
Troels Thomsen

Reputation: 11627

You could manually replace the value (argument.Replace(' ', '+')) or consult the HttpRequest.ServerVariables["QUERY_STRING"] (even better the HttpRequest.Url.Query) and parse it yourself.

You should however try to solve the problem where the URL is given; a plus sign needs to get encoded as "%2B" in the URL because a plus otherwise represents a space.

If you don't control the inbound URLs, the first option would be preferred as you avoid the most errors this way.

Upvotes: 11

AviD
AviD

Reputation: 13112

Well, obviously you should have the Base64 string URLEncoded before sending it to the server.
If you cannot accomplish that, I would suggest simply replacing any embedded spaces back to +; since b64 strings are not suposed to have spaces, its a legitimate tactic...

Upvotes: 1

Ryan White
Ryan White

Reputation: 1917

I am by no means a C# developer but it looks like you need to url ENCODE your Base64 string before sending it as a url.

Upvotes: 0

Nir
Nir

Reputation: 29614

If you URLEncode the string before adding it to the URL you will not have any of those problems (the automatic URLDecode will return it to the original state).

Upvotes: 1

Related Questions