I'm trying to delete blobs in an mvc 3 application that uses azure storage.
I'm trying to pass the Uri of the blob which will be deleted to the controller, however an error is thrown:
A potentially dangerous Request.Path value was detected from the client (:)
I think this is from the https: part of the Uri and I need to parse it out, however I'm not sure how to do that. I'm wondering how to fix this error.
Is there a more graceful way to delete a blob from storage?
You must properly URL encode your urls. Here's an example of a badly encoded url:
http://foo.com/controller/action?param=http://bar.com
Here's how it should look like:
http://foo.com/controller/action?param=http%3A%2F%2Fbar.com
Or maybe you are having an url of the form:
http://foo.com/controller/action/https://bar.com
which is even worse. If you want to use special characters in the Path portion of an URL you might find the following blog post useful.
If you want unsecure content to get through then you can add [ValidateInput(false)] to your action - however, this is opening up something that is there for your security - so only do this if you are sure you're code is secure - see first answer in A potentially dangerous Request.Form value was detected from the client
I was able to fix it and I want to summarize the solution, since it requires bit from the other two answers and bits mostly from the Scott Hanselman Blog post.
You need to do a few things to make this work:
Put the [ValidateInput(false)] on your action method.
Make sure your Url is properly encoded (an example is given in the above post) which is done when you use the blobVariableName.Uri.AbsoluteUri as the string to pass from your view to your controller, so you shouldn't have to do anything there.
Make your query string looks like
http://site/controller/action?blobid=http%3A%2F%2F... and NOT http://site/controller/action/http%3A%2F%2F... the latter won't work!
On a side note, since I started, our functional requirements changed and now were storing information about each blob in the database, which allows me to pass parameters other than the blob's uri, which seems like a much safer way to play it.
A great deal of the community appears to be in agreement that it is a bad idea to pass uri's and to open up your application as to allow you to do so.
Related
I have noticed that many sites have URLs that are generated and interperable. For example there is the google search one bellow:
https://www.google.com/search?q=example+search&oq=example+search&aqs=chrome..69i57j0j69i60j0l3.2087j0j1&sourceid=chrome&ie=UTF-8
This type of pattern seems consistent accross many different web services. What is the best practice for choosing urls and how could I learn more?
If I understand your question you are referring to the key value pairs separated by ampersands, right?
This is called a GET request, which is giving information to the server through the URL. The format is website.com/path/to/page?variable1=value1&variable2=value2 etc.
The question mark indicates the beginning of the key value pair section.
POST requests serve a similar purpose, but are not sent in the URL, so they can contain more data.
Try looking here: https://www.w3schools.com/tags/ref_httpmethods.asp
This format is standard, but not essential. One could make their server interpret URLs in any way they want; however, HTML forms will automatically generate this format. This page has more info, some of which is relevant to your question: https://www.w3schools.com/html/html_forms.asp.
I like that in Clojure I can read a webpage with (slurp url) the same way I read files stored on the local machine. But as soon as the URL contains a question mark followed by paramethers (https://www.google.ru/search?q=clojure) slurp returns error 400. Do I have to use another function? What is the simplest way?
I think you'll need to encode the = yourself. try this:
(slurp "https://google.ru/search?q%3Dclojure")
Also note there have been encoding issues with the underlying clojure.java.io/reader (what slurp is using under the covers) in the past so check your clojure version as well.
It is worth noting however that slurp is pretty basic and I wouldn't recommend relying on it for anything other than really basic stuff or as a convenience for working with URL's. If you need to pull information from URL's in actual code, I would suggest you look at clj-http, which is a full-featured http client library which will give you much more control than slurp.
I want to check what are ALL the possible parameters for any existing website url. Assuming the site is working with parameters type query string "architecture" (and not MVC for example) something like:
http://www.foobar.com/p1&itemsPerPage=50&size=500
Let's say there are other parameters which I don't know exist, and I don't see them in the url at the moment. For example, parameters like max, day and OtherExoticVariable. Again, I don't know their names but want to know ALL of their names. Is there some way of requesting the server to respond will all possible url parameters?
I would prefer a method with Javascript that I could run quickly through a browser but could also do asp.net c# if necessary.
Thanks a lot!
Ray.
It is the script/app running on the server that decides what parameters are valid. Unless the app provides such a query mechanism you can't do it. The server has no idea what is valid and what isn't.
Not guaranteed to get you ALL query strings, but it is often helpful to Google
"foobar.com/p1& * ".
You will be able to see all the public occurrences of query strings for the foobar.com website.
(As the accepted answer says, there is no general method to access query strings unless the website provides an API.)
I do not think this is possible. Each Web application designer can decide on the parameters individually, and you only know them if you see them being used.
You can give someone an url with get:
http://myserver.com/?var=val
But what to do with POST method ? I know that the program I put url into must support this, I do not know any browser that can (maybe with plugin possible), but is there widely accepted syntax to do it, for example I came up with this:
http://myserver.com/<var=val>
or maybe:
http://myserver.com/??var=val
http://myserver.com/?!var=val
http://myserver.com/!!var=val
http://myserver.com/!var=val
etc...
I'm writing a tool to do it , and I wonder if I must think on my own just like first guy who created e-mail and out of the air conceived # character since it was rarely used then...
The idea is that some services use post data and there is no way to send someone link to resource there. And yes I know that when there is post data that resource is not meant to be such easy passeable to people... but wait since when author of a website has to have power over what I can and can't do with his service.
You'd better introduce a separate argument for passing POST data to your tool. Mixing it together with URL would just cause confusion among your users. Remember that POST data be quite large, so you'd end up introducing features like loading POST data (or a value of an individual variable) from a file anyway.
I feel dumb for not knowing this, but I see a lot of links in web pages and instead of this:
<a href="http://foo.com/">
...they use this:
<a href="http://foo.com/?src=bar.com">
Now I understand that the ?src= is telling something that this referral is coming from bar.com, but I don't understand why this needs to be called out explicitly. Can anyone shed some light on it for me? Is this something I need to include in my program generated links?
EDIT: Ok, sorry, I'm not being clear enough. I understand the GET syntax with a question mark and parameters separated by ampersands. I'm wondering what's this special src parameter? Why would one site link to another and tack an src parameter on the end even though there's no indication that the destination site uses this normally.
For example, on this page hover your mouse over the screenshot. The link URL is http://moms4mom.com/?src=stackexchangesites
But moms4mom.com is our site. Passing the src parameter does nothing, so why include it?
There are a few reasons that the src is being used explicitly. But in general, it is easier and more reliable to trust a query string to determine referer[sic] than it is to trust the referer, since the latter is often broken, deliberately or not. On the other hand, browsers almost never break the query string in a url, since this, unlike referers, is pretty important for pages to function. Besides, a referer is often done without any deliberate action on the part of the site doing the refering, which some users dislike.
The reason (I do it) is that popular analytics tools sometimes make it easier to filter on query strings than referrers.
There is no standard to the src parameter. Each site has its own and it's usually up to the site that gets the link to define how it wants to read it (as usually it's that site that's going to pay for the click).
The second is a dynamic link, it's a URL that another language(like ASP and PHP) interpret as something to do, like in those Google URLs, but i never used this site(foo.com), then i don't much things about this parameter.
Depending on how the site processes its URL, you may or may not need to include the ?... information.
This is passed to the website, and the server can process it just like form input. Some sites require this - and build their navigation off a single page, using nothing but the "extra" stuff passed afterwards. If you're generating a link to a site like that, it will be required.
In other cases, this is just used to pass extra, unrequired info (such as advertising, tracking info, etc)... In those cases, you can leave it off.
Unfortunately, there's no way to know without trying whether you can remove the "extra" bits from the URL.
After reading some of your comments - I'll also say:
There is nothing special about the "src" field in a query string. The server is free to use it any way it wishes. Unless you know specific info about the server, you cannot assume it can be left out.
The part after the ? is the query string. Different sites use it for different things, and it is usually used for passing information to the server side code for that URL, but can also be used in javascript.
For more info see Query String