This project has moved. For the latest updates, please go here.
2
Vote

Hyperlink URL is decoded twice

description

It appears that when a hyperlink in Papercut is clicked, the URL decoding that is usually done on the remote server is also being done in the client, thereby potentially altering the URL being loaded.

Consider an email where a user must click a link to confirm their email address, and the security token contains plus signs (+) or other characters that have special meaning in a URL query:
    http://localhost/ConfirmEmail?token=AwE%2FCl%2BsBAAAABNqTs
The plus sign is safely encoded (%2B). This is the URL that gets loaded instead:
    http://localhost/ConfirmEmail?token=AwE/Cl+sBAAAABNqTs
So when the remote server decodes the query string, it changes the meaning of token from:
AwE/Cl+sBAAAABNqTs
to:
AwE/Cl sBAAAABNqTs
The same does not happen when the captured .eml file is opened in Outlook.

comments

sweeperq wrote Jan 15, 2016 at 3:04 AM

I encountered the exact same issue while testing ASP.net Identity password reset. The password reset always failed when clicking on the link from Papercut because of the URL decoding when clicking on the link.

At first I thought it was Microsoft Edge, but when I set up Chrome as my default browser it exhibited the exact same behavior.

I have to right-click, click Copy shortcut, then paste it into the browser window in order to get it to work.

Jaben wrote Feb 2, 2016 at 1:41 AM

Fixed in latest.

Kiefer27 wrote Jun 20, 2016 at 2:31 PM

Also ran into this problem, downloaded new version dated 2/1/2016 and now it works. Thanks!