#1 2014-05-05 13:29:32

mingda
Member
Registered: 2013-01-04
Posts: 121

url Signature

a url string:ShipAgent/ShipSpecification?select=*&where=name like :('%OCEAN QUEEN%'):
use a web front Signature, after Signature, url string is:
/ShipAgent/ShipSpecification?select=*&where=name like :('%OCEAN QUEEN%'):&session_signature=016BDD8E00CC6F32C5FB36E1,
then use javascript function encodeURI encode to:
/ShipAgent/ShipSpecification?select=*&where=name%20like%20:('%25OCEAN%20QUEEN%25'):&session_signature=016BDD8E00CC6F32C5FB36E1, 

a get request send to the server, in TAuthSession.IsValidURL, the Ctxt.Call^.url is:
'ShipAgent/ShipSpecification?select=*&where=name%20like%20:(%27%25OCEAN%20QUEEN%25%27):&session_signature=016BDD8E00CC6F32C5FB36E1', here Signature is computer according the encode 
value, then (crc32(crc32(fPrivateSaltHash,PTimeStamp,8),pointer(Ctxt.Call^.url),aURLlength) = aSignature) judge
will be false, then client return 403 forbidden error, is here need first decode, then check, or else i need adjust, any help is very appreciate!

Offline

#2 2014-05-05 16:01:15

moctes
Member
From: Mexico
Registered: 2013-05-11
Posts: 129

Re: url Signature

I am also interested on the answer to this question.

Anyone?

Offline

#3 2014-05-05 17:13:55

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: url Signature

Your URI are weird.
I suppose the client do always encode the URI, when sending to the server - any browser is doing this.

Offline

#4 2014-05-05 17:49:47

moctes
Member
From: Mexico
Registered: 2013-05-11
Posts: 129

Re: url Signature

Nevermind, I thought this problem was related to one of mine but the URL on the GET call I was doing was wrong hence I was receiving an error.

Offline

#5 2014-05-06 00:56:14

mingda
Member
Registered: 2013-01-04
Posts: 121

Re: url Signature

ab wrote:

Your URI are weird.
I suppose the client do always encode the URI, when sending to the server - any browser is doing this.

Yes encode is after the url Signature, the original url just is string:

"ShipAgent/ShipSpecification?select=*&where=name like :('%OCEAN QUEEN%'):"

after Signature, the url is

ShipAgent/ShipSpecification?select=*&where=name like :('%OCEAN QUEEN%'):&session_signature=016BDD8E00CC6F32C5FB36E1

then after encode, the url is

ShipAgent/ShipSpecification?select=*&where=name%20like%20:('%25OCEAN%20QUEEN%25'):&session_signature=016BDD8E00CC6F32C5FB36E1

I found the problem, since Signature is before the encode uri, so client computer is base the original string, but server get the encode url, in TAuthSession.IsValidURL call, the Ctxt.Call^.url content is not decode, is this:

ShipAgent/ShipSpecification?select=*&where=name%20like%20:(%27%25OCEAN%20QUEEN%25%27):&session_signature=016BDD8E00CC6F32C5FB36E1

here has another escape, the ' is escape to %27, server Signature is compare by this:

(crc32(crc32(fPrivateSaltHash,PTimeStamp,8),pointer(Ctxt.Call^.url),aURLlength) = aSignature)

so server Signature is computer by the encode url content, of course will not pass auth,

if I change the url to:""ShipAgent/ShipSpecification?select=*", because original and encode url is the same, so will pass auth, PS use the deault auth schema, ShipAgent is the root name, ShipSpecification is TSQLShipSpecification(inherited TSQLRecord), thanks!

Last edited by mingda (2014-05-06 00:59:52)

Offline

#6 2014-05-06 02:55:44

mingda
Member
Registered: 2013-01-04
Posts: 121

Re: url Signature

After further debug, in THttpApiServer

procedure THttpApiServer.Execute;

        Context.fURL := Req^.pRawUrl;  //change to ==> Context.fURL := UrlDecode(Req^.pRawUrl); 

//since there has sock server, in THttpServer
procedure THttpServer.Process(ClientSock: THttpServerSocket; aCallingThread: TNotifiedThread);

    with ClientSock do begin
      //here set parameter Together, need also adjustment
      Context.Prepare(URL,Method,HeaderGetText,Content,ContentType);

if add this decode to url, after this will pass auth,
but there is problem in function UrlDecodeNextValue

procedure TSQLRestServerURIContext.ExecuteORMGet;
...
//here Parameters is the decode value such this: 'select=*&where=name like :('%OCEAN QUEEN%'):&session_signature=00588A9D00CF4CE662476C36'

            repeat
              UrlDecodeValue(Parameters,Sort,SQLSort);
              UrlDecodeValue(Parameters,Dir,SQLDir);
              UrlDecodeInteger(Parameters,StartIndex,SQLStartIndex);
              UrlDecodeInteger(Parameters,Results,SQLResults);
              UrlDecodeValue(Parameters,Select,SQLSelect);
              if NonStandardSQLSelectParameter and (SQLSelect='') then
                UrlDecodeValue(Parameters,PAGINGPARAMETERS_YAHOO.Select,SQLSelect);
              if NonStandardSQLWhereParameter and (SQLWhere='') then
                UrlDecodeValue(Parameters,PAGINGPARAMETERS_YAHOO.Where,SQLWhere);
              UrlDecodeValue(Parameters,Server.URIPagingParameters.Where,SQLWhere,@Parameters);
            until Parameters=nil;
...

since value has decode, in function UrlDecodeNextValue, '%', '+' should be normal content, don't need escape,

function UrlDecodeNextValue(U: PUTF8Char; out Value: RawUTF8): PUTF8Char;
var Beg, V: PUTF8Char;
    len, i: PtrInt;
begin
  while not(U^ in [#0,'&']) do begin
    if U^='%' then
      if (U[1]=#0) or (U[2]=#0) then // avoid buffer overflow
        break else
        inc(U,3) else
      inc(U);
    inc(len);
  end;
...
    if U^='%' then begin
      V^ := AnsiChar(ConvertHexToBin[ord(U[1])] shl 4+ConvertHexToBin[ord(U[2])]);
      inc(V);
      inc(U,3);
    end else begin
      if U^='+' then
        V^ := ' ' else
        V^ := U^;
      inc(V);
      inc(U);
    end;
  result := U;
end;

Ab, you are an expert, sorry my poor english, hope you can understand my meaning, thanks!

Last edited by mingda (2014-05-06 02:57:33)

Offline

#7 2014-05-06 07:42:35

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: url Signature

Why on earth would you decode the URI at THttpApiServer level?
IMHO this is not the right place to do it.
This is up to the HTTP consumer service to decode the URI.

Offline

#8 2014-05-06 08:29:16

mingda
Member
Registered: 2013-01-04
Posts: 121

Re: url Signature

ab wrote:

Why on earth would you decode the URI at THttpApiServer level?
IMHO this is not the right place to do it.
This is up to the HTTP consumer service to decode the URI.

Sorry, I not follow this, when we Signature some url string, after encode, send to server, the server will response a 403 forbidden error, so any url has url escape char will not pass the default Auth, this is the reason.

For method service or interface service, I think if pass the decode url will better, we pass bababa url to server, then we get bababa url, not every service need implement decode, then get the original content, but current, I needn't do this, since mORMot has already make this parameter convert transparent, this is why interface service better than method service, thanks!

Offline

Board footer

Powered by FluxBB