Stream: dotnet
Topic: server parameter processing
Brian Postlethwaite (Sep 18 2020 at 06:38):
Just a little gotcha out there for those writing servers when porting over to netcore...
HttpUtility.ParseQueryString has some fun behaviours...
The parts in the query have meaning for FHIR, seperate by & is a logical and, seperate with a , means a logical or
Instead you should use the QueryHelpers.ParseQuery() routine.
https://trackjs.com/blog/query-string-parsing/
The NameValueCollection will convert this
Observation?date=le2018-04&date=ge2018-04,le2018-04
into
name : `date`
value : `le2018-04,ge2018-04,le2018-04` (single string)
The new structure has a StringValues object, which is a collection of strings, so produces
name : `date`
value : `le2018-04` and `ge2018-04,le2018-04` (2 strings, as was in the originalstring intent)
This issue is in the Spark server here @Kenneth Myhra
https://github.com/FirelyTeam/spark/blob/326c41bfe6aa63907e85c016d55f280029f95ec8/src/Spark.Engine/Extensions/HttpHeadersExtensions.cs#L72
@Christiaan Knaap , @Gino Canessa, @Michele Mottini not sure if your servers are also susceptible to this too.
I'll be posting an update to the fhir-net-web-api to resolve it in my facade project this weekend for those using this nuget package.
Michele Mottini (Sep 18 2020 at 12:52):
Thanks for checking Brian. Our server is OK, we use HttpRequestMessageExtensions.GetQueryNameValuePairs()
Christiaan Knaap (Oct 27 2020 at 16:59):
We're not susceptible to this, but thanks for the mention anyway!
Last updated: Apr 12 2022 at 19:14 UTC
