__VIEWSTATE encoding

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

__VIEWSTATE encoding

Andre Kirchner

I was tapping my browser POST messages to a calendar, and noticed that the first message has an uncoded __VIEWSTATE, while the next messages seem to have it encoded (See bellow). How can a web server know that if a message has its __VIEWSTATE encoded or not? Because I didn't find anything in the headers about it. Would it be that a encoded message starts with "%2F", and an uncoded one not? Is there a RFC about it, if so which one?

Thanks,

Andre


*** FIRST MESSAGE ***

POST /HelpDesk/Default.aspx HTTP/1.1
Host: 192.168.35.21
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.11) Gecko/20071128 Iceweasel/2.0.0.11 (Debian-2.0.0.11-1)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.35.21/HelpDesk/
Content-Length: 12407
Pragma: no-cache
Cache-Control: no-cache

__EVENTTARGET=RadCalendar1&__EVENTARGUMENT=d&__VIEWSTATE=0000WAUHA5F1L&RadMenu1=&RadToolbar1_Hidden=Horizontal%23new%2C1%2C0%2C0%23Send%2C1%2C0%2C0%23Save%2C1%2C0%2C0&RadToolbar1$Radtoolbartemplatebutton1$ctl00$RadCombobox_Input=&RadToolbar1$Radtoolbartemplatebutton1$ctl00$RadCombobox_text=&RadToolbar1$Radtoolbartemplatebutton1$ctl00$RadCombobox_value=&RadToolbar1$Radtoolbartemplatebutton1$ctl00$RadCombobox_index=-1&RadToolbar1$Radtoolbartemplatebutton1$ctl00$RadCombobox_clientWidth=203px&RadToolbar1$Radtoolbartemplatebutton1$ctl00$RadCombobox_clientHeight=22px&RadTreeView1_expanded=10000000000000000000000000000000000000000000000000000000000000000000&RadTreeView1_checked=00000000000000000000000000000000000000000000000000000000000000000000&RadTreeView1_selected=01000000000000000000000000000000000000000000000000000000000000000000&RadTreeView1_scroll=0&RadTreeView1_viewstate=0&RadPaneTV=%7B%22originalWidth%22%3A%22263px%22%2C%22originalHeight%22%3A%22%22%2
C%22width%22%3A263%2C%22height%22%3A525%2C%22collapsed%22%3Afalse%2C%22collapsedDirection%22%3A1%2C%22scrollLeft%22%3A0%2C%22scrollTop%22%3A0%2C%22expandedSize%22%3A0%2C%22contentUrl%22%3A%22%22%2C%22minWidth%22%3A20%2C%22maxWidth%22%3A2147483647%2C%22minHeight%22%3A20%2C%22maxHeight%22%3A2147483647%2C%22locked%22%3Afalse%7D&RadCalendar1_SD=%5B%5B2006%2

*** SECOND MESSAGE ***

POST /HelpDesk/Default.aspx HTTP/1.1
Host: 192.168.35.21
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.11) Gecko/20071128 Iceweasel/2.0.0.11 (Debian-2.0.0.11-1)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.35.21/HelpDesk/
Content-Length: 33015
Pragma: no-cache
Cache-Control: no-cache

__EVENTTARGET=RadCalendar1&__EVENTARGUMENT=d&__VIEWSTATE=%2FwEPDwUJMjM0ODU1MzMxD2QWAgIDD2QWCmYPFCsAAw8WAh4ERmxvdwspbVRlbGVyaWsuV2ViQ29udHJvbHMuSXRlbUZsb3csIFJhZE1lbnUuTmV0MiwgVmVyc2lvbj00LjMuMi4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWJiZTU5YThhZDM1MzNlNjgBZBQrAAQUKwACDxYEHgRUZXh0BQRGaWxlHgVWYWx1ZQUERmlsZWQUKwAJFCsAAg8WBh8BBQNOZXcfAgUDTmV3HghJbWFnZVVybAUOSW1nLzExb3Blbi5naWZkZBQrAAIPFgYfAQUGRXhwb3J0HwIFBkV4cG9ydB8DBQ5JbWcvc3BhY2VyLmdpZmRkFCsAAg8WBh8BBQZJbXBvcnQfAgUGSW1wb3J0HwMFDkltZy9zcGFjZXIuZ2lmZGQUKwACDxYGHwEFB0FyY2hpdmUfAgUHQXJjaGl2ZR8DBQ5JbWcvc3BhY2VyLmdpZmRkFCsAAg8WBB8DBRFJbWcvc2VwYXJhdG9yLmdpZh4LSXNTZXBhcmF0b3JnFgQeCkltYWdlV2lkdGgFAzE3MB4LSW1hZ2VIZWlnaHQFATFkFCsAAg8WBh8BBQVQcmludB8CBQVQcmludB8DBQ9JbWcvMTJwcmludC5naWZkZBQrAAIPFgQfAwURSW1nL3NlcGFyYXRvci5naWYfBGcWBB8FBQMxNzAfBgUBMWQUKwACDxYGHwEFDFdvcmsgT2ZmbGluZR8CBQtXb3JrT2ZmbGluZR8DBQ5JbWcvc3BhY2VyLmdpZmRkFCsAAg8WBh8BBQRFeGl0HwIFBEV4aXQfAwUOSW1nL3NwYWNlci5naWZkZBQrAAIPFgQfAQUERWRpdB8CBQhFZGl0
TWVudWQUKwAMFCsAAg8WBh8BBQRVbmRvHwIFBFVuZG8fAwUOSW1nLzIxdW5kby5naWZkZBQrAAIPFgYfAQUEUmVkbx8CBQRSZWRvHwMFDkltZy8yMnJlZG8uZ2lmZGQUKwACDxYEHwMFEUltZy9zZXBhcmF0b3IuZ2lmHwRnFgQfBQUDMTcwHwYFATFkFCsAAg8WBh8BBQNDdXQfAgUDQ3V0HwMFDUltZy8yM2N1dC5naWZkZBQrAAIPFgYfAQUEQ29weR8CBQRDb3B5HwMFDkltZy8yNGNvcHkuZ2lmZGQUKwACDxYGHwEFBVBhc3RlHwIFBVBhc3RlHwMFD0ltZy8yNXBhc3RlLmd





      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

Reply | Threaded
Open this post in threaded view
|

Re: __VIEWSTATE encoding

Ian Clelland
Andre,

These are the relevant bits of POST data from your original message:

1st sample:
> __VIEWSTATE=0000WAUHA5F1L

2nd sample:
> __VIEWSTATE=%2FwEPDwUJMjM0ODU1MzMxD2QWAgIDD2QWCm  ... [continues for much longer]

BOTH of these are encoded, according to the content-type:
> Content-Type: application/x-www-form-urlencoded

In the first example, there are no characters which need to be escaped, so the encoded value is the same as the unencoded value. In the second example, at least the first character was escaped -- %2F is the encoding of a slash ("/") character.

If you want a standard to read, try section 2.3 of RFC 3875 (CGI 1.1), or section 2.4 of RFC 2396 (URI syntax). The issue is really about HTML forms, though, rather than HTTP. http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4 has the definitive answer from the HTML side.

The short answer, though, is that the POST data should ALWAYS be encoded, and you should run whatever you receive through a urldecode function before using it.

Regards,
Ian Clelland

On Sun, Mar 23, 2008 at 8:38 PM, Andre Kirchner <[hidden email]> wrote:

I was tapping my browser POST messages to a calendar, and noticed that the first message has an uncoded __VIEWSTATE, while the next messages seem to have it encoded (See bellow). How can a web server know that if a message has its __VIEWSTATE encoded or not? Because I didn't find anything in the headers about it. Would it be that a encoded message starts with "%2F", and an uncoded one not? Is there a RFC about it, if so which one?