'+' Character being parsed

Feb 6, 2008 at 7:40 PM
Edited Feb 6, 2008 at 8:32 PM
Hi Rviana,

Nice module. I was playing around with it and I noticed that the + (PLUS - HEX 2B) character is being parsed out and being replaced with "" (empty string // null). This is a massive problem as the '+' character is often used in ASP.NET session state and thus removing it corrupts .NET websites after a post back!

I've had a look through the code but couldn't find where the '+' is being stripped out (it doesn't appear that the regex is doing it). If you could at least point me in the right direction I'll do a recompile and test it out!

Other than that, awesome work :)

Ken

Edit - futher details :

After a little more investigation it looks as if the implementation of URLDecode() is slightly faulty. Unfortunately I'm not terribly familiar with C++ and the hex2dec lookup table is hideous! I think I'll wait until someone with more C++ experience can come along and take a look at the method. In the mean time, anyone who runs ASP.NET websites or needs to have the '+' character in POST or GET data should avoid using the module for the time being until someone can fix it.
Coordinator
Feb 8, 2008 at 1:46 AM
Hi Kendle,

You are right. In order to avoid double coding I end up trimming the string (which strips "+" at the end of the string). I will review this issue and release a new version soon.

Thanks,

Rodney Viana
Feb 8, 2008 at 10:26 PM
Hi Rodney,

I've just had another test with some other characters that ASP.NET likes to place in its session state and I've found 3 more that seem to disappear: "\" "/" and "-". These seem to get stripped out near at the Urldecode stage too so I think it might be related to the issue with the "+" character.

Ken
Coordinator
Feb 10, 2008 at 12:25 AM
Edited Feb 10, 2008 at 7:44 PM
Hi Ken,

I modified the source code to work with view state for ASP.NET by ignoring the viewstate fields. The new installer is now available for download as well as the source code with the modifications.

Concerning the UrlDecode implementation I used to use Microsoft's implementation that comes with SDK but it is not so compliant with the RFP. I then found this URLDecode from CodeGuru. It is not so beautiful but it is fast and compatible with the RFP specification. I really didn't want to focus on implementing Uri Decoding from scratch as it is not the main objective of the ISAPI (the code I used was originally posted here): http://www.codeguru.com/cpp/cpp/string/conversions/article.php/c12759/). If someone wants to contribute with a better code I would be pleased to include in the project.

And again thanks for your feedback and let me know if you find any other flaw.

Thanks,

Rodney





Kendle wrote:
Hi Rodney,

I've just had another test with some other characters that ASP.NET likes to place in its session state and I've found 3 more that seem to disappear: "\" "/" and "-". These seem to get stripped out near at the Urldecode stage too so I think it might be related to the issue with the "+" character.

Ken