Registering an Application to a URL Protocol.docx
《Registering an Application to a URL Protocol.docx》由会员分享,可在线阅读,更多相关《Registering an Application to a URL Protocol.docx(10页珍藏版)》请在冰豆网上搜索。
RegisteringanApplicationtoaURLProtocol
RegisteringanApplicationtoaURLProtocol
426outof457ratedthishelpful - Ratethistopic
Updated:
April2011
The AboutAsynchronousPluggableProtocols articledescribeshowtodevelophandlersforURLprotocols.Insomecases,itmaybedesirabletoinvokeanotherapplicationtohandleacustomprotocol.Todoso,registertheexistingapplicationasaURLProtocolhandler.Aftertheapplicationhassuccessfullylaunched,itcanusecommand-lineparameterstoretrievetheURLthatlaunchedit.ThesesettingsapplytoprotocolhandlerslaunchedfromwithinWindowsInternetExplorerandfromWindowsExplorerusingthe Run... command(Windowslogokey+R).
SecurityAlert ApplicationsthathandleURLprotocolsmustconsiderhowtorespondtomaliciousdata.Becausehandlerapplicationscanreceivedatafromuntrustedsources,theURLandotherparametervaluespassedtotheapplicationmaycontainmaliciousdatathatattemptstoexploitthehandlingapplication.
Thistopiccontainsthefollowingsections:
∙RegisteringtheApplicationHandlingtheCustomProtocol
∙LaunchingtheHandler
∙SecurityIssues
∙ExampleProtocolHandler
∙RelatedTopics
RegisteringtheApplicationHandlingtheCustomProtocol
ToregisteranapplicationtohandleaparticularURLprotocol,addanewkey,alongwiththeappropriatesubkeysandvalues,toHKEY_CLASSES_ROOT.Therootkeymustmatchtheprotocolschemethatisbeingadded.Forinstance,toaddan"alert:
"protocol,addan alert keytoHKEY_CLASSES_ROOT,asfollows:
HKEY_CLASSES_ROOT
alert
URLProtocol = ""
Underthisnewkey,the URLProtocol stringvalueindicatesthatthiskeydeclaresacustomprotocolhandler.Withoutthiskey,thehandlerapplicationwillnotlaunch.Thevalueshouldbeanemptystring.
Keysshouldalsobeaddedfor DefaultIcon and shell.TheDefaultstringvalueofthe DefaultIcon keymustbethefilenametouseasaniconforthisnewURLprotocol.Thestringtakestheform"path,iconindex"withamaximumlengthofMAX_PATH.Thenameofthefirstkeyunderthe shell keyshouldbeanactionverb,suchas open.Underthiskey,a command keyora DDEEXEC keyindicatehowthehandlershouldbeinvoked.Thevaluesunderthe command and DDEEXEC keysdescribehowtolaunchtheapplicationhandlingthenewprotocol.
Finally,the Default stringvalueshouldcontainthedisplaynameofthenewprotocol.Thefollowingexampleshowshowtoregisteranapplication,alert.exeinthiscase,tohandlethe alert protocol.
HKEY_CLASSES_ROOT
alert
(Default)="URL:
AlertProtocol"
URLProtocol = ""
DefaultIcon
(Default)="alert.exe,1"
shell
open
command
(Default)="C:
\ProgramFiles\Alert\alert.exe""%1"
WhenauserclicksalinkregisteredtoyourcustomURLprotocol,InternetExplorerlaunchestheregisteredURLprotocolhandler.Ifthespecified open commandspecifiedintheregistrycontainsa %1 parameter,InternetExplorerpassestheURItotheregisteredprotocolhandlerapplication.
LaunchingtheHandler
Byaddingtheabovesettingstotheregistry,navigatingtoURLssuchas alert:
Hello%20World wouldcauseanattempttolaunchalert.exewiththecompleteURLonthecommandline.InternetExplorerdecodestheURL,buttheWindows Run... commanddoesnot.IfaURLcontainsspaces,itmaybesplitacrossmorethanoneargumentonthecommandline.
Forexample,ifthelinkaboveisfollowedthroughInternetExplorer,thecommandlinewouldbe:
"C:
\ProgramFiles\Alert\alert.exe""alert:
HelloWorld"
IfthislinkisfollowedthroughWindowsExplorer,theWindows Run command,orsomeotherapplication,thecommandlinewouldbe:
"C:
\ProgramFiles\Alert\alert.exe""alert:
Hello%20World"
BecauseInternetExplorerwilldecodeallpercent-encodedoctetsintheURLbeforepassingtheURLto ShellExecute,URLssuchas alert:
%3F?
willbegiventothealertapplicationprotocolhandleras alert:
?
?
.Thehandlerwon'tknowthatthefirstquestionmarkwaspercent-encoded.Toavoidthisissue,applicationprotocolhandlersandtheirassociatedURLschememustnotrelyonencoding.Ifencodingisnecessary,protocolhandlersshoulduseanothertypeofencodingthatiscompatiblewithURLsyntax,suchasBase64encoding.Doublepercent-encodingisnotaperfectsolutioneither;iftheapplicationprotocolURLisn'tprocessedbyInternetExplorer,itwillnotbedecoded.
When ShellExecute executestheapplicationprotocolhandlerwiththeURLonthecommandline,anynon-encodedspaces,quotes,andslashesintheURLwillbeinterpretedaspartofthecommandline.ThismeansthatifyouuseC/C++'s argcandargv todeterminetheargumentspassedtoyourapplication,theURLmaybebrokenacrossmultipleparameters.Tomitigatethisissue:
∙Avoidspaces,quotes,orbackslashesinyourURL
∙Quotethe%1intheregistration("%1"aswritteninthe'alert'exampleregistration)
However,avoidancedoesn'tcompletelysolvetheproblemofquotesintheURLorabackslashattheendoftheURL.
InternetExplorer 9.AnapplicationprotocolhandlercandisableURLpercentdecodingbyaddingthe UseOriginalUrlEncoding settingtotheregistrationfortheprotocol.Whenthissettingissetto(DWORD) 1,thecommandlineisnotpercentdecodedbyInternetExplorerwhenpassedtotheprotocolhandler.
Warning Theuse(orlack)ofURLpercentencodingdoesnotprotectaprotocolhandlerfrommaliciousinput.Caremustbetakentoproperlyvalidateinputfromuntrustedsources.
SecurityIssues
Asnotedabove,theURLthatispassedtoanapplicationprotocolhandlermightbebrokenacrossmultipleparameters.Maliciouspartiescoulduseadditionalquotationmarksorbackslashcharacterstopassadditionalcommand-lineparameters.Forthisreason,applicationprotocolhandlersshouldassumethatanyparametersonthecommandlinecouldcomefrommaliciousparties,andcarefullyvalidatethem.Applicationsthatcouldinitiatedangerousactionsbasedonexternaldatamustfirstconfirmthoseactionswiththeuser.Inaddition,handlingapplicationsshouldbetestedwithURLsthatareoverlylongorcontainunexpected(orundesirable)charactersequences.
Formoreinformation,pleasesee WritingSecureCode.
ExampleProtocolHandler
ThefollowingsamplecodecontainsasimpleC#consoleapplicationdemonstratingonewaytoimplementaprotocolhandlerforthe alert protocol.
usingSystem;
usingSystem.Collections.Generic;
usingSystem.Text;
namespaceAlert
{
classProgram
{
staticstringProcessInput(strings)
{
//TODOVerifyandvalidatetheinput
//stringasappropriateforyourapplication.
returns;
}
staticvoidMain(string[]args)
{
Console.WriteLine("Alert.exeinvokedwiththefollowingparameters.\r\n");
Console.WriteLine("Rawcommand-line:
\n\t"+Environment.CommandLine);
Console.WriteLine("\n\nArguments:
\n");
foreach(stringsinargs)
{
Console.WriteLine("\t"+ProcessInput(s));
}
Console.WriteLine("\nPressanykeytocontinue...");
Console.ReadKey();
}
}
}
WheninvokedwiththeURL alert:
"Hello%20World" (noteextraquotes)fromInternetExplorer,theprogramrespondswith:
Alert.exeinvokedwiththefollowingparameters.
Rawcommand-line:
"C:
\ProgramFiles\Alert\alert.exe""alert:
"HelloWorld""
Arguments:
alert:
Hello
World
Pressanykeytocontinue...
RelatedTopics
∙AboutAsynchronousPluggableProtocols
∙DebuggingTips
窗体顶端
Didyoufindthishelpful?
Yes
No
窗体底端
CommunityContent Add
FAQ
Canweregistermultipleapplicationbyusingthesameprefixandallowusersselectanapptorun
DearAll,I'vecreatedaURLprotocolformyappsuccessfully.BecausemyappusesURLprefix"vnc:
//",thismayconflictwithotherVNCsiftheyalsoregisterURLprotocoltoo.Canwehaveawaytoregistermultipleapplicationbyusingthesameprefixandallowusersselectanapptorun?
Thanks,Stephen
History
∙2/24/2012
∙phanduyson
SomeExecutablesDisabled
InWindows7/IE9,c:
\windows\system32\cmd.execannotbeinvokedasthehandler.Inmycase,IwastryingtopasstheURItoabatchfile,somycommandwas "c:
\windows\system32\cmd.exe/cc:
\mystuff\foohandler.bat"%1"".Iwasabletoworkaroundthisbymakingacopyofcmd.exe.Mycommandbecame"c:
\mystuff\foohandler_cmd.exe/cc:
\mystuff\foohandler.bat"%1"",whichworked.Idon'tknowifthisrestrictioncomesfromWindows7orIE9,andIwouldnotbesurprisedifothercommandprocessors,likecscript.exe,arelikewisedisabled.
History
∙10/6/2011
∙LouisThomas
Howtoremove"OpenApplication-SecurityWarning"windowinIE
IhaveregisteredaURLprotocol,anditworkswell.Butwheniinvokemyapplictioninthewebpage,ieopena securitywarningdialog. Sohowtoremove"OpenApplication-SecurityWarning"windowinIEwithcodes.Thanks.
History
∙6/8/2011
∙cjb9937
writeasaservice?
Hi;
Isthereawaytowriteaprotocolhandlerasaservice?
thanks-dave
History
∙5/18/2011
∙DavidThi808
WorkingDIR?
Hello.
Q:
IsthereawaytosettheWorkingDirectoryfortheprogramintheregistrywhenlaunchedfromurl?
History
∙3/17/2011
∙Ult1m4t3Snip3r
∙3/18/2011
∙Ult1m4t3Snip3r
HowtowarnauseronacomputeronwhichURLprotocolisnotregistered?
IhaveregisteredaURLprotocolalongwiththeapplicationinstallation,anditworksflawlesslyonbothIEandfirefox.Theproblemisthatonacomputeronwhichtheapplicationisnotinstallation(neither istheURLprotocolregistered),andtheuserclickstheURLlink.IwouldliketheIEtoopenajavascriptwindows,orawebpage,o