The differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys in Internet Information Services 6.0 normalize a URL (896287)

MORE INFORMATION

The SF_REQ_NORMALIZE_URL server support function can be called from an Internet Server API (ISAPI) filter to normalize a URL. The normalization performed by the SF_REQ_NORMALIZE_URL server support function appears similar to the normalization performed by Http.sys when Http.sys first receives the request.

However, there may be cases where there are differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys normalize a URL. In these cases, the custom ISAPI filter can be modified to normalize a URL in a way that meets the requirements of the custom application.

Case 1: Backslashes in an incoming URL

The normalization is different when an incoming URL contains backslashes. For example, the following request is received:Http.sys normalizes this URL as the following URL:Note The backslash is changed to a forward slash.

The SF_REQ_NORMALIZE_URL server support function normalizes this URL as the following URL:

Case 2: Directory traversal

The normalization is different when directory traversal is used. For example, the following request is received:Http.sys normalizes this URL as the following URL:Note The backslash is changed to a forward slash.

The SF_REQ_NORMALIZE_URL server support function normalizes this URL as the following URL:In both of these cases, you can avoid the problem that is caused by the differences in how the SF_REQ_NORMALIZE_URL server support function and Http.sys normalize a URL. To avoid the problem, call the GetServerVariable function instead of the GetHeader function to retrieve the URL. Then, pass the URL to the SF_REQ_NORMALIZE_URL server support function. The value of the URL that is returned by the GetServerVariable function is populated by Http.sys after Http.sys normalizes the raw URL.

For more information about ISAPI filter development, visit the following Microsoft Developer Network (MSDN) Web site: