Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Regarding special entities in filename (eg. &)

We have a problem related to files saved in folders with & in the names: For ex. /folder/f & g/file.gif the file will give a bad request when accessed with full URL: http://localhost/project/folder/f & g/file.gif What is kind of strange is that the URL usually are decoded to: http://localhost/project/folder/f%20&%20g/file.gif where the spaces are rewritten to %20, but the & is not rewritten to %26. Manually rewriting the URL to: http://localhost/project/folder/f%20%26%20g/file.gif does give the same result with an error Message: Bad Request. This is in with the VirtualPathVersioningProvider.
Oct 15, 2007 13:39
When requesting a file with a '&' in it's virtual path from FileManager (through doublclick or rightclick option OpenFile) the '&' will not be encoded as you pointed out. I have reported this issue to our tracking system. However if you use that file in page content (e.g. by inserting file link in editor) then the '&' will be encoded.
Oct 23, 2007 8:02

Does anyone know if this issue has been resolved?

I seem to have a similar issue with R1 SP3. Although when using the file within page content is also returns a bad request.

Just noticed it encodes the & to %26, although still returns a bad request,  when the file name doesn't contain an & it works.

May 21, 2009 4:52
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.