I have a client that Connects to Asp.net Webapi2,Using Identity & OAuth2 for Authentication.
In Authentication Process , whenever Password Field Contains '+' character.The Server Just Ignore this Character!!!(And Most Other Sign Chars Mentioned In Test below)
string data = "grant_type=password&username=" + username + "&password=" + password;
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(data);
data.PostToUrl();//This Is just pseudoCode
In Server Debug:
Sent Data : password=test+1
Received Data : password=test 1
test2
Sent Data : "+_)(&^%$##!~"
Received Data :" _)("
Thanks.
What is the issue? With HTTP URL a + is equivalent to a space. In fact %20 can also be used.
When sending data in a query always use UrlEncode; as in
var q = string.Format("grant_type=password&username={0}&password={1}",
HttpUtility.UrlEncode(username),
HttpUtility.UrlEncode(password));
HttpServerUtility.UrlEncode
this will help solve the problem with special characters such as + anad #
To use it you'll need to add a reference to System.Web (Project Explorer > References > Add reference > System.Web)
Once you've done that you can use it to encode any items you wish
Related
I am trying to setup reset tokens using custom blazor page.
The token generation works just fine, using
var code = await _userManager.GeneratePasswordResetTokenAsync(user);
It generated the following code
CfDJ8HVZ73lJc0lGiTBiTdeoRRd//Zc1LM0Q4P+8t7DLaBzwlQ2DuvY2HQ5CWE/E8b3VdlZZYIelpwwrCFz579CeCcQTf+YIPli7KpPTuUpMcTHDs5pAw3XifV7x+5Y/Q6WAPdixXuHE8We9QQRxl7Hnba2vjoJ5fCZ9FMHKpkOq3mxDhgYi/gba2Vse3/R87ztVrisEguYvYQ8h5f2MAVMiCB+H0TakjKjpj2ANAD9wQ2H8
Sending it through the mail requires encoding as can bee seen at this link , giving me
var callbackUrl = _globals.AppUrl
+ "/user/reset/"
+ System.Web.HttpUtility.UrlEncode(code);
Now the mail send successfully, and the URL is successfully encoded.
However, when opening the page, I get an 404.11 error
The request filtering module is configured to deny a request that contains a double escape sequence.
Page declaration:
#page "/user/reset/{Code}"
Example URL:
https://localhost:44303/user/reset/CfDJ8HVZ73lJc0lGiTBiTdeoRRfumtSdRgb46HPXLklW0j42IyjqN8rv%2fapJG158YfIrR7dVRNRF2YxJydegd2CMlvm93FTcjkuBwnVPC3N9AtSigiy8VOqeW1nNrRth73urJ23D0V6M2c%2fzE1%2bTuFs8KbB%2fnCG5CE3UnFXG5HleeA%2fwtlyzLgbP4Zrbi5XZ4Q0w4%2b1j83J%2fXvQUqg%2fO5raSkmcO3cb1TGnDWz%2fwqxW%2fbNOe
Question
Does ASP Core Identity include characters which cannot be sent by email by default? (I'd assume the '+' character). And can we exclude then from generation? Or is there another way to manipulate the URL preventing this error. I prefer to keep double escape character filter ON, as it increases security
Edit
When encoding the entire url as follows:
var callbackUrl = _globals.AppUrl
+ "/user/reset/"
+ code;
callbackUrl = HtmlEncoder.Default.Encode(callbackUrl);
A 404 error occurs, because the code contains a '/', which does not fit my routing
var callbackUrl =
_globals.AppUrl
+ "/user/reset/"
+ code;
**callbackUrl = HtmlEncoder.Default.Encode(callbackUrl);**
**Update for this**
var callbackUrl = _globals.AppUrl
+ "/user/reset/"
+ code;
**callbackUrl = {callbackUrl};**
I'm trying to write a IMAP mail client on C#.net with TCPClient and SSL. I can get past the connection and authentication just fine but when I fetch mail from imap.google.com, it return a encrypted string that I can't read at all. Something like:
Subject: =?UTF-8?B?UmU6IDMw5pyf5a6f57+S55Sf44Gu5oOF5aCx44Gr6Zai44GX44Gm?=
My FETCH commands are as below
"$ FETCH " + number + " body[header]\r\n"
"$ FETCH " + number + " body[text]\r\n"
What do I have to do to get the header and body of the mail to display correctly?
Subject: =?UTF-8?B?UmU6IDMw5pyf5a6f57+S55Sf44Gu5oOF5aCx44Gr6Zai44GX44Gm?=
This is not encrypted at all. This is simply the subject encoded using base64 according to the MIME standard, see RFC 2047. Decoding it results in Re: 30期実習生の情報に関して.
In order to deal with such encodings you need to decode it according to the MIME standard, i.e. either read the standard and implement everything yourself or search for some existing library which implements RFC 2047.
I am trying to get a value from a Encoded URL in C#. So for example, I am trying to get "customerID" from:
http://<DOMAIN>/default.aspx%3FcustomerID%3D12345%26reference%3D2222
I tried the following:
string customerID = HttpUtility.UrlDecode(Request.QueryString["customerID"]);
But it comes back NULL. What is the proper way to get this value??
Thanks
Jay
string str = " http://DOMAIN/default.aspx%3FcustomerID%3D12345%26reference%3D2222";
var url = HttpUtility.UrlDecode(str);
var parameters = HttpUtility.ParseQueryString(new Uri(url).Query);
var id = parameters["customerID"];
your application should be encoding the ? and = signs. The Request variables are setup by iis usually before the information is handed off to the application handling the request. You need to send the should encode values but not the entire url. If your url looked like,
?customerID=1234 I imagine it would work, the problem is not with your code but with how the url is being constructed.
I have an s3 bucket called foo.example.com, which is all CNAMEd correctly.
I'm switching to the latest AWS .net SDK.
I wish to generate pre signed url like:
http://foo.example.com/myfile.txt?s3_params_here
Note the vanity cname there.
I have:
string bucketName = "foo.example.com";
AmazonS3Client s3Client = new AmazonS3Client("bar", "xxx",
new AmazonS3Config
{
ServiceURL = bucketName,
CommunicationProtocol = Protocol.HTTP
});
string key = "myfile.txt";
GetPreSignedUrlRequest request = new GetPreSignedUrlRequest()
.WithBucketName(bucketName)
.WithKey(key)
.WithExpires(DateTime.Now.AddMinutes(5))
.WithProtocol(Protocol.HTTP);
string url = s3Client.GetPreSignedURL(request);
the url I get is something like:
http://foo.example.com.foo.example.com/myfile.txt?AWSAccessKeyId=bar&Expires=1331069777&Signature=234KoUUvfE1nCcs2vLj9RQUhqF8%3D
Which is clearly wrong.
I've tried a buch of different variations with ServiceURL, bucketname, etc, but nothing seems to work.
I can't find any good documentation - what is the correct way to do this?
Thanks.
Update [workaround]
I've meanwhile resolved the contradicting test results of mine, which stem from respectively unsystematic testing and URL manipulations. The following workaround does the trick for me (i.e. tested and reproducible), simply starting from your solution:
string bucketName = "foo.example.com";
// [...]
GetPreSignedUrlRequest request = new GetPreSignedUrlRequest()
.WithBucketName(bucketName)
.WithKey(key)
.WithExpires(DateTime.Now.AddMinutes(32))
.WithProtocol(Protocol.HTTP);
Now this yields the erroneous URL with a duplicate domain name, i.e. http://foo.example.com.foo.example.com/myfile.txt?[...]
The duplicate can simply be removed though, e.g.:
string url = s3Client.GetPreSignedURL(request);
// KLUDGE: remove duplicate domain name.
url = url.Replace(bucketName + "." + bucketName, bucketName);
This yields a proper working pre-signed URL for me (i.e. http://foo.example.com/myfile.txt?[...]) by working around the encountered limitation regarding the desired approach outlined below.
Justification
Manipulating the generated URL like so seems odd, but this not having an effect on the query string authentication is in line with how these signatures are created, see Query String Request Authentication Alternative, where you'll find the pseudo-grammar that illustrates the query string request authentication method:
StringToSign = HTTP-VERB + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Expires + "\n" +
CanonicalizedAmzHeaders +
CanonicalizedResource;
That is, the domain name isn't used for the signature creation at all, rather only information regarding the resource itself; section Example Query String Request Authentication right below the referenced pseudo-grammar fragment illustrates this with an actual resource.
Assessment
I don't know whether there is still a misunderstanding on our part or whether this might just be a bug in the AWS SDK for .NET, see e.g. Why is my S3 pre-signed request invalid when I set a response header override that contains a “+”? for a related bug resolved via a similar workaround as well, which has meanwhile been fixed though; accordingly, this should likely be escalated to the AWS forums and/or support channels to get an appropriate answer or solution.
Good luck!
Desired answer [dysfunctional]
The S3 CNAME handling implies the bucket name already, so all you need to do is removing your bucket name from GetPreSignedUrlRequest, i.e. it should look like so:
GetPreSignedUrlRequest request = new GetPreSignedUrlRequest()
.WithKey(key)
.WithExpires(DateTime.Now.AddMinutes(5))
.WithProtocol(Protocol.HTTP);
I've tested this with a bucket of mine and it works as expected like so.
the presignedURL returns an URL object after signing the request. I have used the same and >dont have real issues, but there are some things to consider:
Ensure the object URL you are considering does not have a '//' it could easily happen if >you start the storage path starts with a "/", you would have stored the object in a path some >thing like https:///x/y/z/abc.png the key for such a resource is x/y/z/abc.png >and not /x/y/z/abc.png
If the above is ensured, then from the URL object that is returned get the query parameters >from the URL object url.getQuery() will return the query parameters which contains the >signature information, just suffix this with your original awsURL and things should work with >out any encoding issues.
Hope this helps..
Essentially you need to use url.getQuery on the returned url object rather than simply affixing it to the end of your bucket.
https://forums.aws.amazon.com/thread.jspa?threadID=70521
I am trying to validate using this parameters:
"openid.mode=check_authentication"<br>
+ "&openid.assoc_handle=" + txtAssocHandle.Text<br>
+ "&openid.response_nonce=" + HttpUtility.UrlEncode(txtNonce.Text)<br>
+ "&openid.op_endpoint=" + txtEndpoint.Text<br>
+ "&openid.sig=" + txtSignature.Text<br>
+ "&openid.signed=mode,identity,return_to";
and it returns
is_valid:false
ns:http://specs.openid.net/auth/2.0
what am I doing wrong here?
the txt fields are being filled with login response values
Your openid.signed argument needs to be exactly what the OP sent to your RP rather than this incomplete hard-coded list of 3 parameters, for one thing. All your arguments should be URL encoded as well, not just your nonce.
There is a lot more to validating an OpenID token than just sending it back to the OP using "dumb mode". What are you trying to do?
Have you considered using an OpenID library? Seriously, getting OpenID right (meaning secure, and interoperable) is a big job. Way bigger than assembling just the right query string. :)