Encrypt File Path - Invalid URL for images/files on IIS

Wolf · Post by **Wolf** » Sun Feb 11, 2024 6:15 pm

v2024
got Bad Request - Invalid URL then i try to get file in list or view page
but if i try to get existing file in edit page file is opening

OpenPanel on the local computer everything works.
After transferring to IIS, the links stop working.

Bad Request - Invalid URL
HTTP Error 400. The request URL is invalid.
if you disable "Encrypt File Path"
everything works everywhere.

debug enabled
in /log folder nothing

if the file name consists of letters (scan.pdf) of the English alphabet, then the file is opened.
if filename conains russian symbols got error "HTTP Error 400. The request URL is invalid."

arbei · Post by **arbei** » Sat Feb 24, 2024 8:39 am

Wolf wrote:

if you disable "Encrypt File Path" everything works everywhere.

That probably means the encryption/decryption does not work the same on your IIS web server.

Make sure you use the same PHP version as your local PC, and make sure PHP ext-hash, ext-mbstring, and ext-openssl are enabled for the PHP of the IIS. You may use phpinfo() to check the PHP on your IIS server.

You should enable Debug (just follow the instruction in the docs) to check the detailed error message in the log file.

Make sure logging is properly set up so you can debug. Also make sure you have enabled error_reporting and display_errors in the php.ini (for your IIS) during debugging.

Note that if you have enabled "production" for Environment setting, you should set it back to "development" during debugging, you can modify the setting in the src\config.php manually to "ENVIRONMENT" => "development".

Another possibilitiy is that the non-alphanumerical file name are not saved properly. Make sure everything supports utf-8, including (but not limited to):

The charset of the project is utf-8,
The database/table/field supports utf-8. If MySQL, use utf8bm4. If MSSQL, use nvarchar, not varchar.

Wolf · Post by **Wolf** » Thu Mar 07, 2024 3:10 am

phpinfo:
hash support enabled
Multibyte Support enabled
OpenSSL support enabled

charset of the project is utf-8
MySQL, used utf8bm4

arbei · Post by **arbei** » Fri Mar 08, 2024 10:00 am

Wolf wrote:

if filename conains russian symbols got error "HTTP Error 400. The request URL is invalid."

What is the HTML with the URL? Inspect element in your browser and post the actual HTML.
Make sure the MySQL on your production server is also MySQL 8 which supports "utf8bm4" like your local MySQL database.
Check MySQL charset (for SET NAMES), make sure it is empty or "utf8bm4".
Export the table data to a utf-8 file and check if the russian characters in the file names are saved properly.
Are you sure the file with russian characters in file name are correctly uploaded on your IIS server? If the file name stored in the database does not match the actual physical file name, it won't work.

Wolf · Post by **Wolf** » Fri Mar 08, 2024 3:21 pm

not open: <a target="_blank" data-extension="pdf" href="/mkd/api/file/contract/eyJpdiI6IjluWWc5R1pBM08xeXBwc3MvemJEdWc9PSIsInZhbHVlIjoiOTJ1T1B2c3F2eUVlTVFBRTBTbXB3ZytvK2VmbjNzaW83SG1uSUx4OFNzeFB3dWV3L3VUNDNKTFpybjJFQ2NXWFFSNVFFWko2dWdhZDFjY0hWT2FYQldHT2pEUWp0UHpXanpxOWlzenhucmZxUWlqcWtRSWw3TUd4Qy9Ldm90Tm4iLCJtYWMiOiIyMjdjOWY1NDcxMDA2ZWNmMzlkNTM4Y2M1NzU4MDM5ZWQwNDNlNzJjNDM5NDRlMzA2ZjFiYTQ2NjBlMjg2MTUwIiwidGFnIjoiIn0=?session=eyJpdiI6IlZPZHlwM0ZnM0pDZUZQNFJoV0dBUnc9PSIsInZhbHVlIjoidnB1Y1Z1TElRaDFuZUcrUzJld1ByZG5XcGloZkhVOXJ4dEhpeXFmUHB0MD0iLCJtYWMiOiI0ZWRhZWNiYzQ0MTI0NzAwZWVkMmFlMzE4ODQ1NGU4MjU4YTQyYTY3M2YxYWYxNDgxNDc3ZTdlMjVmNDA4NWIwIiwidGFnIjoiIn0=&csrf_name=csrf65eabd886fdbe&csrf_value=XAwM4G9sxBPBnmwu88/yxjAIKsOwkh217fSL5RL9LxM+amqEDAmhcqWoXhnG98KlA20booSiLtPdxL7VK5lNKw==">RUSSIAN SYMBOLS.pdf</a>

open good: <a target="_blank" data-extension="pdf" href="/mkd/api/file/contract/eyJpdiI6InR2MC9FWS9PMkpQSFBGQWp1VUh4U3c9PSIsInZhbHVlIjoidG9QYzd1SEFGUlhYRjRpYWR6SlVKaFpnMUhHemd0am5rQnFwTDV0MGlkS2lLUER3bWs4TGgxRE11VkxQblY4eSIsIm1hYyI6ImE1MGI4NzE1YzYyNjkyNmUwZTYzOThhNWE4YWM3YWZlOGVlMTU4YjVkMDU1N2M3NTg5ZTRlOWYwOWEyNzM2NjUiLCJ0YWciOiIifQ==?session=eyJpdiI6InlUbUF3OS94TnZURGxJZnZWdHVabFE9PSIsInZhbHVlIjoiS2RQQVdzd0dTZWJJR0U1ZDA4YXpRMmh6Ny9nb1d5VWN3bmhkOVRHVkE5ND0iLCJtYWMiOiI3YzhhNWQxOTNjODcyZDgxZDg4NGVmZjU2YTc0OGZhM2VmZjc2MDM5OTJkNzUxZTdlNTZmZTRjYTI1NDBkMmEwIiwidGFnIjoiIn0=&csrf_name=csrf65eac41f4e344&csrf_value=UxKYNQqNlp/eAzhNDna8Q4iUbtP5ykYDKXBf9IO1hRRlIf1UO72u/ukzCixqEIlz7vJc65v5IDRPR2bFuobkcQ==">Touareg7p.pdf</a>

i can't post message with russian letters change to "russian symbols".
MySql version 8.1.0
SET NAMES in Advanced is empty.
4-5. Filenames stored properly. exact match with file name.

arbei · Post by **arbei** » Fri Mar 08, 2024 10:16 pm

You may write some code in a page (you need to use the PHPMaker config and functions) to test what could not be decrypted successfully, e.g.

echo Decrypt(Encrypt("Your russian characters"));
echo Decrypt($sessionId); // where $sessionId is the "session" parameter in above URL
echo Decrypt($fn, $sessionId . Config("ENCRYPTION_KEY")); // where $fn is the encrypted string after "contract/" and before "?".

Wolf · Post by **Wolf** » Sat Mar 09, 2024 3:33 am

Encrypt-Decrypt correct Russian filename.

sessionId = eyJpdiI6ImQxejlHNTZJaWR1TzZhZHdXbjlhSkE9PSIsInZhbHVlIjoiSWJUakp3QU1rRUZPZ1VpRWlBYzl6Q016eHc4bDcvalh6V1d1S2gwbTdWND0iLCJtYWMiOiI1OGNkZTA1NjkyNmE3ZTk5ZTQyZGE5NzM4ZTMwZmI4ZWJlYTk3MWJkYjc4ZGZjNWY5NDliNjU1YzQzMTNiNDc5IiwidGFnIjoiIn0=

Decrypt($sessionId) = r9r9oart70m889qvf2kpbdkm34

fn = eyJpdiI6IjluWWc5R1pBM08xeXBwc3MvemJEdWc9PSIsInZhbHVlIjoiOTJ1T1B2c3F2eUVlTVFBRTBTbXB3ZytvK2VmbjNzaW83SG1uSUx4OFNzeFB3dWV3L3VUNDNKTFpybjJFQ2NXWFFSNVFFWko2dWdhZDFjY0hWT2FYQldHT2pEUWp0UHpXanpxOWlzenhucmZxUWlqcWtRSWw3TUd4Qy9Ldm90Tm4iLCJtYWMiOiIyMjdjOWY1NDcxMDA2ZWNmMzlkNTM4Y2M1NzU4MDM5ZWQwNDNlNzJjNDM5NDRlMzA2ZjFiYTQ2NjBlMjg2MTUwIiwidGFnIjoiIn0=

Decrypt($fn, $sessionId . Config("ENCRYPTION_KEY")) = eyJpdiI6IjluWWc5R1pBM08xeXBwc3MvemJEdWc9PSIsInZhbHVlIjoiOTJ1T1B2c3F2eUVlTVFBRTBTbXB3ZytvK2VmbjNzaW83SG1uSUx4OFNzeFB3dWV3L3VUNDNKTFpybjJFQ2NXWFFSNVFFWko2dWdhZDFjY0hWT2FYQldHT2pEUWp0UHpXanpxOWlzenhucmZxUWlqcWtRSWw3TUd4Qy9Ldm90Tm4iLCJtYWMiOiIyMjdjOWY1NDcxMDA2ZWNmMzlkNTM4Y2M1NzU4MDM5ZWQwNDNlNzJjNDM5NDRlMzA2ZjFiYTQ2NjBlMjg2MTUwIiwidGFnIjoiIn0=

arbei · Post by **arbei** » Sat Mar 09, 2024 10:33 am

The file name cannot be decrypted. What is your Config("ENCRYPTION_KEY")? You can find it in src/config.php.

Make sure it is not empty. If you see the error "Error: Missing encryption key. Please click Tools -> Advanced Settings and set 'Encryption key'." during generation, do not ignore it. Follow the instruction to set it.

Session depends on cookie. Double check your cookie settings in advanced settings. If you enable Cookie Secure, make sure your site uses HTTPS, not HTTP. If you set Cookie SameSite as "None", you must enable Cookie Secure.

Wolf · Post by **Wolf** » Sat Mar 09, 2024 1:44 pm

key = MrFk61aXk]fGod25qmS7e3nZ4mTk-pK0

I didn't enable Cookie Secure.
my site uses HTTPS
Cookie SameSite - Lax

arbei · Post by **arbei** » Tue Mar 12, 2024 10:33 am

So it seems that the session has been changed. You may compare the session id (i.e. session_id()) of the page and the decrypted session id (i.e. Decrypt($sessionId)) in the URL.

Wolf · Post by **Wolf** » Wed Mar 13, 2024 2:44 am

sessionId = eyJpdiI6ImExVGZUZ3BSaG9KakcvM3ZpczhjeUE9PSIsInZhbHVlIjoiK0ZEamtRMHdLS0QreCtxOHR6UGJCMk1jYVBzb1BEZjlJNDlVU3FBWTVTQT0iLCJtYWMiOiIwY2E4MDIyMjdlOGQwYjk0YThkNjE4Njc4NmQ0MzQzYWJjNTljMmY0MGFiYmZiNTFhMjMxZmQwOGZiNTlhYWFmIiwidGFnIjoiIn0=
Decrypt($sessionId): r9r9oart70m889qvf2kpbdkm34
fn = JpdiI6InhHRXFtekJ6L3Q0UGp4UjFtVXgzRlE9PSIsInZhbHVlIjoiQTlpVkFweWROYWVNdWJZZVFucDE2VUQ0RkdqNTNWT29ZTlJKYkVNMm8rdENzOUErck1sd2RYTk5QWmtUd1RNWTNuSUdQeXA0TTBFT2l6L2laZks1M2dyY2hIM0J0cjE1RXRaWHFPY0hzam5IV1dHWUtkbWppTzNBZTBwbDU1V2JySEJkOVFlNzFnRjFyT0JrNVE2R00yaWx6dGYyMHA4WmwyUFFOTitWUERJPSIsIm1hYyI6IjIzNTI4ZmJmNDdhZjcxNDlmMGI2NWMxYjM2ZDVmY2QwMTY0OWRhMGYwNzUzYzRhNTI0YTNlNjdmNGNiYjQ1NTUiLCJ0YWciOiIifQ==
Decrypt($fn, $sessionId . Config("ENCRYPTION_KEY")): JpdiI6InhHRXFtekJ6L3Q0UGp4UjFtVXgzRlE9PSIsInZhbHVlIjoiQTlpVkFweWROYWVNdWJZZVFucDE2VUQ0RkdqNTNWT29ZTlJKYkVNMm8rdENzOUErck1sd2RYTk5QWmtUd1RNWTNuSUdQeXA0TTBFT2l6L2laZks1M2dyY2hIM0J0cjE1RXRaWHFPY0hzam5IV1dHWUtkbWppTzNBZTBwbDU1V2JySEJkOVFlNzFnRjFyT0JrNVE2R00yaWx6dGYyMHA4WmwyUFFOTitWUERJPSIsIm1hYyI6IjIzNTI4ZmJmNDdhZjcxNDlmMGI2NWMxYjM2ZDVmY2QwMTY0OWRhMGYwNzUzYzRhNTI0YTNlNjdmNGNiYjQ1NTUiLCJ0YWciOiIifQ==
key = MrFk61aXk]fGod25qmS7e3nZ4mTk-pK0
session_id(): r9r9oart70m889qvf2kpbdkm34
Decrypt($fn): JpdiI6InhHRXFtekJ6L3Q0UGp4UjFtVXgzRlE9PSIsInZhbHVlIjoiQTlpVkFweWROYWVNdWJZZVFucDE2VUQ0RkdqNTNWT29ZTlJKYkVNMm8rdENzOUErck1sd2RYTk5QWmtUd1RNWTNuSUdQeXA0TTBFT2l6L2laZks1M2dyY2hIM0J0cjE1RXRaWHFPY0hzam5IV1dHWUtkbWppTzNBZTBwbDU1V2JySEJkOVFlNzFnRjFyT0JrNVE2R00yaWx6dGYyMHA4WmwyUFFOTitWUERJPSIsIm1hYyI6IjIzNTI4ZmJmNDdhZjcxNDlmMGI2NWMxYjM2ZDVmY2QwMTY0OWRhMGYwNzUzYzRhNTI0YTNlNjdmNGNiYjQ1NTUiLCJ0YWciOiIifQ==

arbei · Post by **arbei** » Wed Mar 13, 2024 10:30 am

So session_id() equals Decrypt($sessionId). Everything is correct. The only explanation might be what you didn't show so far, the Russian characters, although you said you can encrypt/decrypt correctly. You may post an example for testing as follows:

Export your table to a .sql file (with CREATE TABLE statement)
Delete all records (INSERT statements) except one (INSERT statement) for testing. The record should contains the file name with Russian characters.

Wolf · Post by **Wolf** » Wed Mar 13, 2024 11:41 pm

CREATE TABLE `contract` (
  `id` int NOT NULL,
  `id_house` int NOT NULL,
  `number` varchar(20) NOT NULL,
  `date_start` date NOT NULL,
  `date_end` date DEFAULT NULL,
  `scan` varchar(150) DEFAULT NULL,
  `notes` tinytext
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;

INSERT INTO `contract` (`id`, `id_house`, `number`, `date_start`, `date_end`, `scan`, `notes`) VALUES
(1, 1, '1/2024', '2024-02-14', NULL, 'Инструкция по охране труда.pdf', NULL),
(2, 1, '231321321', '2024-02-16', NULL, 'инструкция лк для школы 2023-2024.docx', NULL);

arbei · Post by **arbei** » Fri Mar 15, 2024 12:49 pm

The problem is not related to PHP or Russian characters, it is due to IIS settings for the URL, when the file name is long, the URL with encrypted file path is too long for IIS with default settings, you may read the follows:

Troubleshooting HTTP 400 errors in IIS
Http.sys registry settings for Windows, note that:
Changes that are made to the registry will not take effect until you restart the HTTP service. Additionally, you may have to restart any related IIS services.
See the last section of above article.

You need to increase at least the UrlSegmentMaxLength registry setting.

Wolf · Post by **Wolf** » Sat Mar 16, 2024 12:15 am

Thanks s lot!
I think this will be useful to many, please add it to the FAQ or installation instructions.

PowerShell script:
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters -Name UrlSegmentMaxLength -Value 2000 -Type "Dword"