使用 url 编码的斜杠获取 URL [英] GETting a URL with an url-encoded slash

问题描述

我想向 http://example.com/%2F 发送 HTTP GET.我的第一个猜测是这样的:

using (WebClient webClient = new WebClient()){webClient.DownloadData(http://example.com/%2F");}

不幸的是，我可以看到线路上实际发送的是:

GET//HTTP/1.1主机:example.com连接:保持活动

所以 http://example.com/%2F 被翻译成 http://example.com// 在传输之前.

有没有办法实际发送这个 GET 请求?

OCSP 协议要求在通过 HTTP/GET 使用 OCSP 时发送 base-64 编码的 url 编码，因此有必要发送实际的 %2F 而不是/"以符合要求.

这是 OCSP 协议标准的相关部分(RFC 2560 附录 A.1.1):

<块引用>

使用GET方法的OCSP请求构造如下:

<块引用>

获取 OCSPRequest 的 DER 编码的 base-64 编码的 GET {url}/{url-encoding}

我对其他阅读方式持开放态度，但我看不出还有什么意思.

解决方案

默认情况下，Uri 类将不允许转义 / 字符 (%2f) 在 URI 中(尽管在我阅读 RFC 3986 时这似乎是合法的)).

Uri uri = new Uri("http://example.com/%2F");Console.WriteLine(uri.AbsoluteUri);//打印:http://example.com//

(注意:不要使用 Uri.ToString 来打印 URI.)

根据 此问题的错误报告 在 Microsoft Connect 上，此行为是设计使然，但您可以通过将以下内容添加到您的 app.config 或 web.config 文件来解决此问题:>

<方案设置><添加名称=http"genericUriParserOptions=DontUnescapePathDotsAndSlashes"/></schemeSettings></uri>

(转自 https://stackoverflow.com/a/10415482 因为这是官方"避免这个 bug 没有使用反射来修改私有字段.)

Connect 错误报告不再可见，但 的文档建议使用这种方法来允许在 URI 中使用转义的 / 字符.请注意(根据那篇文章)，无法正确处理转义斜杠的组件可能存在安全隐患.

I want to send a HTTP GET to http://example.com/%2F. My first guess would be something like this:

using (WebClient webClient = new WebClient())
{
  webClient.DownloadData("http://example.com/%2F");
}

Unfortunately, I can see that what is actually sent on the wire is:

GET // HTTP/1.1
Host: example.com
Connection: Keep-Alive

So http://example.com/%2F gets translated into http://example.com// before transmitting it.

Is there a way to actually send this GET-request?

The OCSP-protocol mandates sending the url-encoding of a base-64-encoding when using OCSP over HTTP/GET, so it is necessary to send an actual %2F rather than an '/' to be compliant.

EDIT:

Here is the relevant part of the OCSP protocol standard (RFC 2560 Appendix A.1.1):

An OCSP request using the GET method is constructed as follows:

GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest}

I am very open to other readings of this, but I cannot see what else could be meant.

解决方案

By default, the Uri class will not allow an escaped / character (%2f) in a URI (even though this appears to be legal in my reading of RFC 3986).

Uri uri = new Uri("http://example.com/%2F");
Console.WriteLine(uri.AbsoluteUri); // prints: http://example.com//

(Note: don't use Uri.ToString to print URIs.)

According to the bug report for this issue on Microsoft Connect, this behaviour is by design, but you can work around it by adding the following to your app.config or web.config file:

<uri>
  <schemeSettings>
    <add name="http" genericUriParserOptions="DontUnescapePathDotsAndSlashes" />
  </schemeSettings>
</uri>

(Reposted from https://stackoverflow.com/a/10415482 because this is the "official" way to avoid this bug without using reflection to modify private fields.)

Edit: The Connect bug report is no longer visible, but the documentation for <schemeSettings> recommends this approach to allow escaped / characters in URIs. Note (as per that article) that there may be security implications for components that don't handle escaped slashes correctly.

这篇关于使用 url 编码的斜杠获取 URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！