Content-type validation fails due to additional information being "injected"

Question

We have a third party software that expects the incoming Content-Type to be explicitly:

application/x-www-form-urlencoded

However, in our ASP script below, even though we set the request header appropriately, ASP is actually sending it as:

application/x-www-form-urlencoded; charset=utf-8

As a result, authentication fails and since it's third party, we may not be at liberty to patch it ourselves as future updates may override our modifications.

How can we explicitly force the Content-type and prevent "; charset=utf-8" from being appended?

<%
'IRISLink.cgi expects application/x-www-form-urlencoded

Dim obHTTP
obHTTP.open "POST", "https://" & DWHost & "/IRISLink.cgi", False

obHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
obHTTP.Send strPost
Set obHTTP = Nothing

'Failure - Actual Content-type received was: application/x-www-form-urlencoded; charset=utf-8
%>

You're missing the line where you initialize `obHTTP`. What kind of object are we dealing with here? `ServerXMLHTTP`? — Cheran Shunmugavel, Sep 30 '13 at 06:05

score 1 · Answer 1 · answered Sep 30 '13 at 06:47

I don't know exactly which object you're using, but based on my testing, I was only able to reproduce the behavior you're describing when I used MSXML2.ServerXMLHTTP. This typically points to the MSXML 3.0 version. One relatively straight-forward fix would be to explicitly use a different version of MSXML, for example, MSXML2.ServerXMLHTTP.6.0.

If, for whatever reason, that isn't possible, you can pass an ADODB.Stream object to the send method instead of a string. See my test script for an example of this.

Test script:

Option Explicit

Dim strPost
strPost = "Testing 1,2,3"

Dim oStream
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 2 ' adTypeText
oStream.Charset = "UTF-8" ' or whatever charset the 3rd party app requires
oStream.WriteText strPost

' skip UTF-8 BOM (see http://stackoverflow.com/questions/4143524)
' If you're using a different charset, you should set Position to 0
oStream.Position = 3

Dim oHttp
Set oHttp = CreateObject("Msxml2.ServerXMLHTTP")
oHttp.open "POST", "http://example.com/", False

oHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
oHttp.send oStream
'oHttp.send strPost
oStream.Close

score 0 · Answer 2 · answered Sep 27 '13 at 23:09

0

It appears this is a limitation of classic ASP and cannot be avoided. Porting this same code over to C# we find the Content-type is received literally as it was specified, but not with ASP.

answered Sep 27 '13 at 23:09

Matt Borja

1,509
1
17
38

Are you sure IIS isn't appending the extra content-type for Classic code? – AnonJr Oct 01 '13 at 14:46

Content-type validation fails due to additional information being "injected"

2 Answers2