[wp-trac] [WordPress Trac] #32462: Percent character using at Postname have a problem with IIS
WordPress Trac
noreply at wordpress.org
Tue Jul 14 08:13:28 UTC 2015
#32462: Percent character using at Postname have a problem with IIS
-------------------------------+------------------------------
Reporter: by rallier | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 4.2.1
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------------+------------------------------
Comment (by JanR):
Note: through this comment I'm trying to provide some more insights in
this, on the web server level. The story below is tested on WordPress
trunk (4.3-beta2-33249).
A first thought: IIS is a little whacky in what characters it allows in
URL's. This is set through the [https://msdn.microsoft.com/en-
us/library/system.web.configuration.httpruntimesection.requestpathinvalidcharacters(v=vs.110).aspx
HttpRuntimeSection.RequestPathInvalidCharacters] property. The default set
of invalid charachters is: `<,>,*,%,&,:,\\` and this behaviour can be
overwritten in the web.config file, in the `httpRuntime` node of
`system.web`, e.g:
`<httpRuntime requestPathInvalidCharacters=""/>` (allowing all characters)
`<httpRuntime requestPathInvalidCharacters="<,>,*,%,:,\,?"/>` (keeping the
default, but allowing %)
There are some caveats on allowing all characters though... And
unfortunately, this won't fix this particular Post Slug problem in
WordPress just yet.
Witnessed behavior after my first thought:
A post with the percent sign as '''first character''' (`%100 work` from
the previous example) creates the Slug `/0-work/`. Copy pasting that slug
(''Edit'' in the Permalink) into a text editor like Notepad++ shows a
[https://en.wikipedia.org/wiki/Control_character DLE control character]
where the `%10` was supposed to be.
So, in my opinion this is urlencoding gone bad and not an IIS error; ASCII
character 10hex (or 16 decimal) is the DLE character. This is discussed in
#25021.
Some more investigation because we want to get further:
After publishing, the slug `/0-work/` is redirected to
`http://example.com/%100-work/`. On its turn, IIS returns a HTTP 400
'''"Bad Request - Invalid URL"''', even with
`requestPathInvalidCharacters` emptied in web.config. Probably due to the
control character, of which we already established is there.
This is can some what be fixed by allowing ''double escaping'' in IIS
[http://www.iis.net/configreference/system.webserver/security/requestfiltering
Request Filtering] module, ''if'' we urlencode % to %25. The URL
http://example.com/%25100-work/ ''does work''. For this, set
`<requestFiltering allowDoubleEscaping="true" />` in the `security` node
of `system.webServer`:
{{{
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
}}}
Some examples:
* error: http://example.com/%100-work/
* works: http://example.com/%25100-work/
Putting the % sign ''after'' 100 works, and gets filtered out. There is no
difference in:
* http://example.com/100%25-work/
* http://example.com/100-work/
but http://example.com/100%-work/ fails as well, as a `%` somewhere around
numbers creating other control characters will too.
Apologies for the long story.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32462#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list