1

I have a simple page that should display an image depending the path send it in the querystring. Im getting a 404 error code after I add the query string.

www.domain.com/ViewImage.aspx?Image=/img/image.jpg

ViewImage.aspx

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <table width="100%" cellpadding="0" cellspacing="0">
        <tr>
            <td align="center" valign="baseline">
                <img alt="image" id="Img2" runat="server" class="fullimage" src="" />
            </td>
        </tr>
    </table>
    </form>
</body>
</html>

ViewImage.aspx.cs

    protected void Page_Load(object sender, EventArgs e)
    {
        var src = Server.UrlDecode(this.Request.QueryString["Image"]);
        this.Img2.Src = validInput(src);
    }

    protected string validInput(string input)
    {
        var regex = "[\'<>\"]";
        if (null != input && !input.Contains("\"") && input.StartsWith("/"))
        {
                return !Regex.IsMatch(input, regex) ? AntiXssEncoder.XmlAttributeEncode(input):string.Empty;
        }
        return string.Empty;
    }

Expected result

<img alt="image" id="Img2" runat="server" class="fullimage" src="/img/image.jpg" />

Current result error 404

This is what I've tried and check:

Verified the page exist

www.domain.com/ViewImage.aspx is working fine, no src image set, but is finding the page correctly.

Verified the image exists

www.domain.com/img/image.jpg is working fine, img is displaying right.

Tried with a wrong path

www.domain.com/ViewImage.aspx?Image=/asdasdas/asdas.jpg Im not getting the 404 error and Image src is set right

Tried with only the folder and no image in the url

www.domain.com/ViewImage.aspx?Image=/img, this is not getting a 404 error, but if add the last slash I get the 404 error also.

www.domain.com/ViewImage.aspx?Image=/img/

This last url is getting a 404 error.

Notes :

  • We are using SSL in the server (https), not sure if this matters.
  • I'm thinking that probably the error can/should be fixed in the IIS configuration, not sure what or how to.

Any suggestions?

Improve this question
4
  • You're UrlDecoding what You haven't UrlEncoded Commented Oct 3, 2016 at 21:13
  • 2
    Can you try this: www.domain.com/ViewImage.aspx?Image=%2Fimg%2Fimage.jpg Commented Oct 3, 2016 at 21:16
  • Hi @sachin, thanks for your answer. I just tried, this was also the Jacob suggestion, but is not working. Commented Oct 3, 2016 at 21:34
  • There may be something unusual in your IIS config or web.config; those details could help. Commented Oct 3, 2016 at 21:46

1 Answer 1

Reset to default
2

One thing to keep in mind is that / in query string values is not supported, though perhaps some browsers may be able to figure out encoding it for you when entering it in a URL. The path should be URI-encoded (%2F instead if /). It's possible that your server configuration is such where the / is being used in some sort of path resolution that is causing the 404; if your query string wasn't malformed, you may not have that issue.

You can also simplify your code a bit. Request.QueryString automatically decodes parameters, so you don't have to do that manually:

protected void Page_Load(object sender, EventArgs e)
{
    // The query string is automatically decoded
    var src = this.Request.QueryString["Image"]; 
    this.Img2.Src = validInput(src);
}

protected string validInput(string input)
{
    var regex = "[\'<>\"]";
    if (null != input && !input.Contains("\"") && input.StartsWith("/"))
    {
        return !Regex.IsMatch(input, regex) ? AntiXssEncoder.XmlAttributeEncode(input):string.Empty;
    }
    return string.Empty;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your answer, I just tried changing replacing the / with %2F but is not working, actually is weird that when I use ViewImage?Image=/asdasdas/asdasd.jpg the src in the image object is setting fine, the image is not found but have the src value. BTW, thanks for the Request.QueryString tip.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.