Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

The differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys in Internet Information Services 6.0 normalize a URL

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 896287 - Last Review: December 3, 2007 - Revision: 1.3

The differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys in Internet Information Services 6.0 normalize a URL

View products that this article applies to.

On This Page

INTRODUCTION

This article describes the differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys in Microsoft Internet Information Services (IIS) 6.0 normalize a URL.

Normalization includes decoding hexadecimal codes, removing characters that are not valid, and performing some international conversions.
Back to the top

MORE INFORMATION

The SF_REQ_NORMALIZE_URL server support function can be called from an Internet Server API (ISAPI) filter to normalize a URL. The normalization performed by the SF_REQ_NORMALIZE_URL server support function appears similar to the normalization performed by Http.sys when Http.sys first receives the request.

However, there may be cases where there are differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys normalize a URL. In these cases, the custom ISAPI filter can be modified to normalize a URL in a way that meets the requirements of the custom application.
Back to the top

Case 1: Backslashes in an incoming URL

The normalization is different when an incoming URL contains backslashes. For example, the following request is received:
http://www.example.com/RootTest/SubDir\LowerDir/
Http.sys normalizes this URL as the following URL:
http://www.example.com/RootTest/SubDir/LowerDir/
Note The backslash is changed to a forward slash.

The SF_REQ_NORMALIZE_URL server support function normalizes this URL as the following URL:
http://www.example.com/RootTest/SubDir\LowerDir/
Back to the top

Case 2: Directory traversal

The normalization is different when directory traversal is used. For example, the following request is received:
http://www.example.com/RootTest/SubDir1\SubDir2/../../SubDir5/SubDir6
Http.sys normalizes this URL as the following URL:
http://www.example.com/RootTest/SubDir5/SubDir6
Note The backslash is changed to a forward slash.

The SF_REQ_NORMALIZE_URL server support function normalizes this URL as the following URL:
http://www.example.com/SubDir5/SubDir6
In both of these cases, you can avoid the problem that is caused by the differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys normalize a URL. To avoid the problem, call the GetServerVariable function instead of the GetHeader function to retrieve the URL. Then, pass the URL to the SF_REQ_NORMALIZE_URL server support function. The value of the URL that is returned by the GetServerVariable function is populated by Http.sys after Http.sys normalizes the raw URL.

For more information about ISAPI filter development, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/ms525164.aspx (http://msdn2.microsoft.com/en-us/library/ms525164.aspx)
Back to the top
APPLIES TO
  • Microsoft Internet Information Services 6.0
Back to the top
Keywords: 
kbinfo kbtshoot KB896287
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting