I am trying to build an ASP.NET MVC application, which will use Thumbor as a photo resizing backend, but have been running into problems with the security. Thumbor uses a SHA1 HMAC hash as a security system, which is based on the URL. So, the URL may look like:
http://thumbor-server/1234567890123456789012345678/300x200/smart/path/to/image.jpg
1234567890123456789012345678 being the hmac made up of a secret key and the 300...image.jpg section...
anyway, i can create the HMAC value alright, or at least i think i can, but when generating the URL, Thumbor sugests using the urlsafe_base64encode function from Python. I have tried System.Convert.ToBase64String, but thats not working, and url encoding the string does not work either. By "not working", i mean Thumbor is telling me the URL is malformed. There is not much to go by...
So, is there an equivalent? and if not, how would one go about generating a string the way it does?
I have managed to get this working, by taking the Base64 string and replacing the + char with - and the / char with a _. This seems to be the way that Python is doing its urlsafe_b64encode
Related
This is an odd (to me anyway) query string problem.
I'm using a installation tool that has web serial number validation. Basically the install passes a users email and serial number to a web page (or a controller method for MVC) and that takes the query string arguments and does magic to validate the installation.
One of the arguments is the email address passed in the query string.
I recently has a user who used ‘+’ email addressing to purchase a subscription. All worked well until he went to install the product and had to get past the validation screen.
After doing some digging I found that instead of receiving
‘joe+foo#gmail.com’
The validation code receives
‘joe foo#gmail.com’
Of course the space ruins the validation attempt as his email address is now wrong.
I've spoken with the install tool company (Advanced Installer, best install tool on the planet) and they claim (and I believe them) that the email is sent correctly.
So that leaves me at how do I get the asp.net mvc querystring parser do to the right thing for that particular argument and pass the string with the '+' to the contoller method ?
It's asp.net mvc 5 if it matters.
Thanks for any help you can spare.
UPDATE
The problem is with the sending, not the reception. the plus sign ends up unencoded so it translate to a space= when it get handled by the query string parser.
So what I am looking for is a way to customize the query string parser for that particular URL (and only that URL).
The shortcut to a fix is to replace spaces with a plus sign in the email arg. Simple, but I hate that kind of hackery in my code I;d prefer to have it use a customized parser to that if I need it else where I can just plug it in any way it goes.
You can customize just about everything else in asp.net mvc so I was wondering if there was a way to do the query string pasring in some custom fashion.
Assuming you are calling the URL from javascript, instead of doing this:
url += "?email=" + email;
Encode the value like this:
url += "?email=" + encodeURIComponent(email);
If you are calling the URL from the server, then:
string encodedEmail = Server.UrlEncode(email);
UPDATE
If you can't change where the URL is getting called, then you don't have any other option than:
HttpUtility.UrlEncode(Request.QueryString["email"]);
or:
email = email.Replace(' ', '+');
It looks like I'm going to have to go with my hack solution of swapping space for a plus sign in that particular query string parameter. Not the ideal solution in my way of thinking, but it will do the trick.
An array contains an email. This e-mail looks at the moment like:
testmail%40mail.de
I'm searching for an methode to get this e-mail to readable format for humans. I know everybody would be able to identify '%40' after some time, but I would need to get for example in this case 'testmail#mail.de'
I found the solution to use "System.Net.WebUtility.HtmlDecode()". I use .Net4.0 but there was no readable output using the methode above (output was the same one). I hope to get an easy way to solve this.
The email address is URL encoded therefore you are required to URL decode it.
.NET has the following utilities available for you to do this:
HttpServerUtility.UrlDecode(string) or HttpUtility.UrlDecode(string)
I'm designing a Windows Phone 8 app where I need to save certain credentials and message backups as a Parse object. So, while I'm taking data from the user end I want to preserve privacy of the clients. So, why not encrypt it. But then again I need to decrypt it back on client side. Say, there's a message "I'll be late". So, I want it to be encrypted to say "###%&**))^^^__673asdh" and saved in backend which makes absolute no sense to me. Again this encrypted message is read back to the front end client as and when required as the original message that he stored. Please suggest a good library. is AES a good option? Sorry for the question. I'm basically a noob in cryptography! Thanks.
If you are noob in cryptography - do not use encrytion/decryption primitives. Encryption/decryption method is only a part where proper use of the method is very important too. Try to find some crypto library that will do the work for you. At start you can read about Crypto++ library and BounceCastle, inspect the exmaples in this libraries.
I'm trying to find a way to mimic the behavior of stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding from the iPhone, using C# (for Windows Phone).
I don't know anything about iPhone programming, and a web search for that doesn't seem to provide any document pages that might explain what it actually does to help me figure out how to mimic it. I mean, I can see that it "percent escapes" a string using an encoding, but I can't find any examples of what it does to confirm that the output I would be getting is correct. Is it just a simple URL Encode?
I'm not pretty sure if I understood your question, but HttpUtility.UrlEncode might be what you're looking for. At MSDN you'll find it's definition and examples.
Update: this is the official doc from Apple, regarding the iOS method you mentioned.
try this for urls
var uri = new Uri (url);
var nsurl = new NSUrl (uri.GetComponents (UriComponents.HttpRequestUrl, UriFormat.UriEscaped));
UIApplication.SharedApplication.OpenUrl (nsurl);
Though this question is very old, but for those still looking for an answer: HttpUtility.UrlPathEncode is the C# equivalent of stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding] in Objective C. This is what one should use while composing email etc. in mobile apps / iOS / iPhone app (Xamarin). The difference between HttpUtility.UrlEncode and HttpUtility.UrlPathEncode is -
The UrlEncode method converts each space character to a plus character (+). The UrlPathEncode method converts each space character into the string "%20", which represents a space in hexadecimal notation. Use the UrlPathEncode method when you encode the path portion of a URL in order to guarantee a consistent decoded URL, regardless of which platform or browser performs the decoding.
Also, though the MSDN docs recommend to use UrlEncode instead of UrlPathEncode, only latter is what will work in the referenced scenario.
[Update] Doesn't work same in Android (Xamarin), if you have encoded strings, you'd need to decode them back using HttpUtility.UrlDecode.
I am trying to knock up a quick DOS based app in C# to assist me with some tedius tasks I have to perform on websites every so often. One of the pages I need to access requires you to be logged in to view the source. This shouldn't really be a problem, I have a valid username and password. I found this question here:
Login to website, via C#
which tells me how I can send a POST request to a specific URL and retrieve a cookie from the header for future use with any page that requires me to be logged in.
This would work nicely if it wasn't for the fact that the POST form on the login page is a little more complicated than just a "username" and "password" field. Looking at the form it has an "OnSubmit" call to a javascript function, which takes the username and password and encrypts them into some kind of hash (maybe md5 plus a little extra bits and bobs) then saves them in further hidden fields in the login form.
I was thinking it is probably possible to run the javascript function from C# somehow? If I could maybe retrieve the HTML file (with included JS) and then run that JS function from with C# and then retrieve the cookie from the POST request the JS effectively sends. A further complication may lie in the fact that I am not sure if the JS function is stored locally or is linked in via a tag.
The site sounds like it's doing something nice, e.g. hashing your password instead of sending it in clear text.
I'd say you have three basic options. You could simply use a WebBrowser control instead of using HttpWebRequest and let the site work the way it's supposed to. Your code can just fill the the form and click the submit button.
You could try to run the javascript in your application, though the tools seem either obsolete or iffy. Search SO for discussions about this in the past, e.g. this one.
If this is really worth it to you, you can duplicate the functionality of the javascript in C#, and do all the work yourself, just populating the final fields before posting. Converting algorithmic procedures like a hash function is probably not very difficult. Most likely it's a standard SHA algorithm which is already part of .NET anyway. You would potentially have problems in the future if things change on the site, of course.
Unless you really need a super-clean solution, I'd just use a WebBrowser control and let the site do its thing.