URI segments, dots, REST, and a .NET bug
DZone's Guide to
URI segments, dots, REST, and a .NET bug
Join the DZone community and get the full member experience.
Join For Free
These days I learned about a bug in the System.Uri() class that would strip leading dots from URI segments. See an example:
http://host/test.../abc
becomes
http://host/test/abc
That happens if your client or your server is .NET. If your client believes you support the URL RFC correctly, it may send the request with trailing dots, and when it gets to your code, these dots are gone.
The consequence is that, because of that, your .NET REST service should not allow dots. At least trailing dots. However, allowing dots everywhere but at the end is not desirable and quite possibly you will forbid dots altogether.
http://host/test.../abc
becomes
http://host/test/abc
That happens if your client or your server is .NET. If your client believes you support the URL RFC correctly, it may send the request with trailing dots, and when it gets to your code, these dots are gone.
The
implication is that, if this URI segment is actually a resource name,
you may be in trouble. Let me show you a concrete example:
- Resource is created by posting to URL: http://host/addresses. At this point, the resource name is passed in the payload and your service will correctly accept these trailing dots. For example, let's say we create an address named "home." So far, so good.
- User tries to perform a REST operation on this resource. It could be something as simple as a GET on http://host/addresses/home. (dot included)
- In the case you have a .NET client, the request will go out as http://host/addresses/home (no dot). Of course your server will return the wrong data or an error (like 404 - not found)
- In case you have a non-.NET client, the request will go out correctly, but if your server is .NET-based, then you may have an issue. For instance, a WCF REST service will have this resource name parsed as "home" (no dots), which will also return the wrong data or an error.
The consequence is that, because of that, your .NET REST service should not allow dots. At least trailing dots. However, allowing dots everywhere but at the end is not desirable and quite possibly you will forbid dots altogether.
There's
a workaround for this issue if you control both client and server code.
However, in case your customers are generating client proxies, then
you must document what they need to do.
Source: http://blog.sacaluta.com/2011/11/uri-segments-dots-rest-and-net-bug.html
MethodInfo getSyntax = typeof(UriParser).GetMethod("GetSyntax", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
FieldInfo flagsField = typeof(UriParser).GetField("m_Flags", System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic);
if (getSyntax != null && flagsField != null)
{
foreach (string scheme in new[] { "http", "https" })
{
UriParser parser = (UriParser)getSyntax.Invoke(null, new object[] { scheme });
if (parser != null)
{
int flagsValue = (int)flagsField.GetValue(parser);
// Clear the CanonicalizeAsFilePath attribute
if ((flagsValue & 0x1000000) != 0)
flagsField.SetValue(parser, flagsValue & ~0x1000000);
}
}
}The code above clears a flag that is set to canonicalize an URL as a
file path. Yes, all URLs are thought to be Windows file locations.
Unfortunately this bug is known since 2008, but has never made into a .NET release. It is marked as fixed, but as of .NET 4 we are still waiting for the fix to be released.
Here you can find more details about this issue:
Unfortunately this bug is known since 2008, but has never made into a .NET release. It is marked as fixed, but as of .NET 4 we are still waiting for the fix to be released.
Here you can find more details about this issue:
Source: http://blog.sacaluta.com/2011/11/uri-segments-dots-rest-and-net-bug.html
Like This Article? Read More From DZone
Topics:
Opinions expressed by DZone contributors are their own.
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}