Using UrlDecoding OFF

Topics: User Forum
Apr 21, 2010 at 2:26 AM
Edited Apr 22, 2010 at 1:23 PM

Thanks for making IIRF and making it free.  It's proving an awesome addition to our toolbox.  

We recently ran into an issue with the following URL.  

http://www.someurl.com/scripts/cdcworkweb.go/util/dialog.r?dialog_url=../mf/matlgrade_det.r%3Fstd_obj%3D262560887.3835

After the URL is rewritten we get the dialog_url in our dynamic page and the value is 

../mf/matlgrade_det.r?std_obj

...when it should be...

../mf/matlgrade_det.r?std_obj=262560887.3835

We fixed the issue by adding the following to the iirf.ini

UrlDecoding OFF

The docs seem to suggest that you shouldn't use UrlDecoding OFF lightly.  Is this a reasonable usage or is there another preferable approach.

 

Coordinator
Apr 21, 2010 at 3:45 PM

The problem with disabling URL decoding is that you open yourself up to malicious URLs.

I wouldn't say that you shouldn't turn UrlDecoding off.  The option is there because it's important to some people.  But if you turn it off, you should construct rules that deal specifically with the encoding characters.  In other words, you may want to flag and reject URLs that include arbitrary encoding., while allowing and rewriting rules that have encoding sequences that you expect.

It may be that you don't care, that there is some other piece in your server that will appropriately reject malicious URLs.  That's fine.

The point is for you to be aware.

 

 

Coordinator
Apr 21, 2010 at 3:46 PM
Edited Apr 21, 2010 at 3:47 PM

ps: Also, I'm glad you like IIRF. Thanks for letting me know.

 

Apr 22, 2010 at 1:24 PM

Thanks for the explanation.  I think that clarifies things well.