Redirect to an error page

Aug 11, 2008 at 9:06 PM
I am looking for a different solution or workaround.

I want instead of remove the invalid characters, redirect to an error page.

How can I do that? Is that possible? What piece of the source code should be modified?

Thanks in advance!
Pablo
Coordinator
Aug 12, 2008 at 12:49 AM
Edited Aug 12, 2008 at 7:24 AM

Hi Pablo,

Changing the page to be called is not a big deal. The problem will be change the logic to identify there was a injection attempt.

Where you see (ISAPIClipSQLInjection.cpp):

            pExecUrlInfo->pszUrl = new char[strUrl.QueryBufferSize()+1];
            ZeroMemory(pExecUrlInfo->pszUrl, strUrl.QueryBufferSize()+1);
            CopyMemory(pExecUrlInfo->pszUrl, strUrl.QueryStr(), strUrl.QueryBufferSize());

Change it to:
            if(injectionAttempt) // a flag you will have to implement
                  pszUrl = "myerrorpage.html";

            pExecUrlInfo->pszUrl = new char[strUrl.QueryBufferSize()+1];
            ZeroMemory(pExecUrlInfo->pszUrl, strUrl.QueryBufferSize()+1);
            CopyMemory(pExecUrlInfo->pszUrl, strUrl.QueryStr(), strUrl.QueryBufferSize());

Maybe this works to create your flag (SQLCleanUp.cpp):

const char * const SAFEFORMAT = "(?1redirect)(?2redirect)(?3redirect)(?4redirect)(?5redirect)(?6redirect)";

.
.
.
CSQLCleanUp::CSQLCleanUp(void)
{
    injectionAttempt = false;  
}
.
.
.

       if(!ShouldIgnoreVar(varName))
        {
            unescaped = UriDecode(varContent);
            unescaped = StripUnsafeSequences(unescaped);
            varContent = UriEncode(unescaped);
            if(varContent == "redirect")
              injectionAttempt = true;
        }

Add injectionAttempt as boolean to the class definition.

Let me know if you need further assistance.