Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IIS rewrites my URL's

82 views
Skip to first unread message

Peter Fastré

unread,
Mar 11, 2005, 8:12:13 AM3/11/05
to
Hello

I have a Windows 2003 Server with IIS. I make a virtual directory with
the name tp_static, and try the following URL:
http://srv003/tp_static

It works, but IIS encodes it to
http://srv003/tp%5Fstatic/

This way, I run into problems using cookies & paths, and besides that,
it looks very ugly. No other webserver (Apache, IIS<6, ...) does this.

Why is this, and is it possible to disable this stupid behaviour?

Regards

Peter

Egbert Nierop (MVP for IIS)

unread,
Mar 11, 2005, 10:16:40 AM3/11/05
to

"Peter Fastré" <peter....@belgacom.be> wrote in message
news:NOgYd.35160$Fb7.3...@phobos.telenet-ops.be...

> Hello
>
> I have a Windows 2003 Server with IIS. I make a virtual directory with
> the name tp_static, and try the following URL:
> http://srv003/tp_static
>
> It works, but IIS encodes it to
> http://srv003/tp%5Fstatic/
>
> This way, I run into problems using cookies & paths, and besides that,
> it looks very ugly. No other webserver (Apache, IIS<6, ...) does this.
This is not IIS but IE that does this.

> Why is this, and is it possible to disable this stupid behaviour?

This is not stupid. A space is a reserved character and should be encoded.
However, not IIS does this but IE.

> Regards
>
> Peter

Kristofer Gafvert

unread,
Mar 11, 2005, 4:17:58 PM3/11/05
to
Hi Peter,

No, it is not possible to disable this behavior.

IIS is encoding characters in a redirect, to prevent cross site scripting.
I cannot tell why IIS encodes the underscore character (or the hyphen
character for that matter), because i cannot see any issues with that. I
can assume that the developers of IIS was looking at RFC 1738, which says
(section 2.2):

"On the other hand, characters that are not required to be encoded
(including alphanumerics) may be encoded within the scheme-specific part
of a URL, as long as they are not being used for a reserved purpose."

The developers are following this, and maybe they wanted to be on the
secure side, and encode the character.

I do not know what problems with cookies or paths you are referencing to,
but cookies are for sure not handled by IIS. Paths, maybe, depends on what
it is.

_ and %5F should be treated equally. IIS handles this, but for cookies, it
can be a problem with the client (the webbrowser), or ASP/something else,
depending on the problem, and if you are using ASP or some other scripting
technique.

In RFC 3986 (which updates RFC 1738, but was released 2005, so the IIS
developers could impossible follow it when developing IIS) the underscore
character should not be encoded.

I discussed this "problem" with Olaf Lüder, another MVP, and he wrote an
ISAPI filter to work-around this. If it fixes the cookies problem as well,
i have no idea. This is available here:

http://nogetec.de/files/courtesyredirect.zip

If you find this to be major problem, and nobody else responds with a
better explanation, you could contact Microsoft Support. It does however
not seem to be a bug in IIS, because the behavior seems to be intentional.

--
Regards,
Kristofer Gafvert
www.gafvert.info - My Articles and help
www.ilopia.com


Peter Fastré wrote:

> Hello
>
> I have a Windows 2003 Server with IIS. I make a virtual directory with

the name tp_static, and try the following url:

John Cesta

unread,
Mar 12, 2005, 7:53:28 PM3/12/05
to
On Fri, 11 Mar 2005 13:12:13 GMT, Peter Fastré
<peter....@belgacom.be> wrote:

>Hello
>
>I have a Windows 2003 Server with IIS. I make a virtual directory with
>the name tp_static, and try the following URL:
>http://srv003/tp_static
>
>It works, but IIS encodes it to
>http://srv003/tp%5Fstatic/

It's called an encoded underscore. No web server does it. IE does it.
Really, do you think that IIS would produce such "stupid" behavior?

John Cesta

The CPU Checker - Monitors your CPU % while you sleep
LogFileManager - IIS LogFile Management Tool
WebPageChecker - Helps Maintain Server UpTime
DomainReportIt PRO - Helps Rebuild IIS
http://www.serverautomationtools.com

David Wang [Msft]

unread,
Mar 13, 2005, 3:21:03 AM3/13/05
to
As Kristopher pointed out, the reason for the encoding is for security
against cross-site scripting attacks. Despite the fact that XSS attacks are
fundamentally a client-side problem due to bad application code on the
server, people wanted a server-side heavy-hammer solution, and here it is.

Regarding your problems with cookies, paths, etc -- it simply points out
that your code contains potential canonicalization flaws in that it treats
the same URL as potentially different. Basically, it is the reverse of the
XSS attack but from the server to the client.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//


"Peter Fastré" <peter....@belgacom.be> wrote in message
news:NOgYd.35160$Fb7.3...@phobos.telenet-ops.be...

Kristofer Gafvert

unread,
Mar 13, 2005, 5:44:07 AM3/13/05
to
David,

Is there any potential risk in _not_ encoding the underscore character? I
personally cannot understand why the underscore character is encoded.


--
Regards,
Kristofer Gafvert
www.gafvert.info - My Articles and help
www.ilopia.com

0 new messages