Microsoft KB Archive/896287

= The differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys in Internet Information Services 6.0 normalize a URL =

Article ID: 896287

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0

-





INTRODUCTION
This article describes the differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys in Microsoft Internet Information Services (IIS) 6.0 normalize a URL.

Normalization includes decoding hexadecimal codes, removing characters that are not valid, and performing some international conversions.



MORE INFORMATION
The SF_REQ_NORMALIZE_URL server support function can be called from an Internet Server API (ISAPI) filter to normalize a URL. The normalization performed by the SF_REQ_NORMALIZE_URL server support function appears similar to the normalization performed by Http.sys when Http.sys first receives the request.

However, there may be cases where there are differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys normalize a URL. In these cases, the custom ISAPI filter can be modified to normalize a URL in a way that meets the requirements of the custom application.

Case 1: Backslashes in an incoming URL
The normalization is different when an incoming URL contains backslashes. For example, the following request is received:

http://www.example.com/RootTest/SubDir\LowerDir/

Http.sys normalizes this URL as the following URL:

http://www.example.com/RootTest/SubDir/LowerDir/

Note The backslash is changed to a forward slash.

The SF_REQ_NORMALIZE_URL server support function normalizes this URL as the following URL:

http://www.example.com/RootTest/SubDir\LowerDir/

Case 2: Directory traversal
The normalization is different when directory traversal is used. For example, the following request is received:

http://www.example.com/RootTest/SubDir1\SubDir2/../../SubDir5/SubDir6

Http.sys normalizes this URL as the following URL:

http://www.example.com/RootTest/SubDir5/SubDir6

Note The backslash is changed to a forward slash.

The SF_REQ_NORMALIZE_URL server support function normalizes this URL as the following URL:

http://www.example.com/SubDir5/SubDir6

In both of these cases, you can avoid the problem that is caused by the differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys normalize a URL. To avoid the problem, call the GetServerVariable function instead of the GetHeader function to retrieve the URL. Then, pass the URL to the SF_REQ_NORMALIZE_URL server support function. The value of the URL that is returned by the GetServerVariable function is populated by Http.sys after Http.sys normalizes the raw URL.

For more information about ISAPI filter development, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/ms525164.aspx

Keywords: kbinfo kbtshoot KB896287

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.