9

There is an API endpoint in my application that accepts a string as a URL parameter that may contain a / encoded as %2f.

For example, GET http://localhost:5000/api/foo/some%2fstring

The controller action receives this parameter in its encoded state (some%2fstring), and is able to handle this as it sees fit.

However, once deployed to IIS, this breaks. IIS seems to decode the URL before passing it to Kestrel. The logs show something like this:

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 GET http://example.com/api/foo/some/string application/json

Obviously, that pattern does not match the route, and the request 404s.

How can I prevent IIS from manipulating the URL before sending it to Kestrel?

Entith
  • 679
  • 3
  • 15
  • 1
    First, are you sure its IIS? Does it happen when you do that against Kestrel? If it happens on Kestrel, then you gotta wait for ASP.NET Core 2.2 (or use the 2.2 preview versions if its mission critical). See this Blog post: https://blogs.msdn.microsoft.com/webdev/2018/08/27/asp-net-core-2-2-0-preview1-endpoint-routing/, the **New round-tripping route parameter syntax** section – Tseng Oct 15 '18 at 17:22
  • 1
    And second, I'm pretty sure that its not valid HTTP RFC standard. if you really want to pass "%2f" to a route, you should escape the "%" too, which means: `%252F` or `http://localhost:5000/api/foo/some%252Fstring` – Tseng Oct 15 '18 at 17:26
  • 1
    It works as expected when doing it directly against Kestrel. The issue occurs only when hosted in IIS. Kestrel logs indicate that by the time it reaches Kestrel, the URL is already decoded. – Entith Oct 15 '18 at 17:43

0 Answers0