[Mono-bugs] [Bug 77931][Nor] New - UrlDecode can cause exceptions on invalid input

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Mon Mar 27 11:53:16 EST 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by rongeens7 at hotmail.com.


--- shadow/77931	2006-03-27 11:53:16.000000000 -0500
+++ shadow/77931.tmp.25966	2006-03-27 11:53:16.000000000 -0500
@@ -0,0 +1,59 @@
+Bug#: 77931
+Product: Mono: Class Libraries
+Version: 1.1
+OS Details: 
+Status: NEW   
+Priority: Normal
+Component: Sys.Web
+AssignedTo: gonzalo at ximian.com                            
+ReportedBy: rongeens7 at hotmail.com               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: UrlDecode can cause exceptions on invalid input
+Please fill in this template when reporting a bug, unless you know what you
+are doing.
+Description of Problem:
+When passing some incorrectly encoded URL is passed to the
+System.Web.HttpUtility:UrlDecode method an exception could be thrown from
+Int32.Parse method.
+While incorrectly encoded URLs should never happen they are a reality in
+this day and age where almost all browsers have them working just fine.
+Steps to reproduce the problem:
+1. Call System.Web.HttpUtility:UrlDecode("../../&param2=%CURRREV%");
+Actual Results:
+Unhandled Exception: System.FormatException: Input string was not in the
+correct format
+in <0x00054> System.Int32:Parse (System.String s, NumberStyles style,
+IFormatProvider fp)
+in <0x0000f> System.Int32:Parse (System.String s, NumberStyles style)
+in <0x0024c> System.Web.HttpUtility:UrlDecode (System.String s,
+System.Text.Encoding e)
+Expected Results:
+No exception should be thrown I guess, otherwise it should at least be a
+specific URLEncoding exception or something like that such that it can
+explicitly be caught by the client code.
+How often does this happen? 
+Additional Information:
+The UrlDecode-method could either check for exceptions itself, or it could
+check the input more thoroughly: after a % there should be hexadecimal
+numbers and nothing else.
+The version I use is Mono C# compiler version, but I checked in
+SVN that the code has not been changed in this respect.

More information about the mono-bugs mailing list