Email Security.cloud

 View Only
Back to discussions
Expand all | Collapse all

URL encoding of parameters are not maintained by Click-time URL protection

  • 1.  URL encoding of parameters are not maintained by Click-time URL protection

    Posted Nov 21, 2017 12:35 PM

    Hi,

    Having a valid URL in the email containing encoding of special characters in the parameter of the URL e.g. %2F, will result in below Click-time URL.

    https://clicktime.symantec.com/a/1/C0wv3lbDolkuNfSupOJp3P8xaadEbLTclU6XnduaqBo=?d=4z70XHCj7cpIYpa1umVY5H7J5rqp32gUhGyVLniLOtpNFX3p7Q2Knxo63ke1kuerU8JGG-bwExZg2KkCy2uw3ENu08D91Z2Y_qsG5USEyWMyG9DgSXJJzaKwoSJ-c--iCo0iAzLh1YTAHwlNTsWmlUFpE_VTOrRo6zS6glZCYVJvJXFwquV62D74WnC7AmFZxcvFyRpltcZo9QwD-872FYCIyYvTOvNd5bZB4f4fl9_P7EPI_5uEcK6B5pxMPwadER1sUzXVa9TH_nGnV8rxNHiJiPy7Y9CXSFIjrkd6yYMnuLkXdcrhnv2lLr9synpS0yZIMOeaMyFSqxFGOK9WgynzP81-uWWJpCPYOPVCycms9jdLapZpcb5LJeagijq0-nk0oq-GjT2E63rsKOm-6pOuLdkZ6RGQNZTCt7IYbCIgHp6vzuzKtaGqzcCs71S4qIRQu_87u5rSVbCK01gD7NzVxwdvzUeldWuLq3tKGzq4aBdshEueRKdd_B5p&u=https%3A%2F%2Fxxxxxxxxxxxxxxxxxxxxxx.com%2TRACK%2Fexternal%2Fdownload%3Fq%3D163334d25b97aa7596a919cac654db2171f7f7c32uaWAjdhh11toDgMfv3R6dxNIxHlCu%2FB8mOMm6ZhNtXs18tC6kIjZXxlVgRhpt0%2BxGFNoaPmqBKMIJqjf8gTCjgiXqkinnC%2Bw%2B66NLt8tFVwT5NIC%2Fim0mBgqeSeeIKWjVlEAcnXxsUEUZqBHg8toDIGL6eR3CF0B9MWLgFvx4W9Tp1JXdbgP1J4pRwwoDYyQL7ou46sLfL%2FF9u3j4O%2FK98sggPpUX09wlq2neUqchFGbYtxq3Jp6JpYFV%2B5RiiwEew5oSt5Bb7DFaT8NpgPP7LnP6nAV4c7kPGemo8%2B5ojCRsjwbVcrfKJQA1RvOaf
     

    Click-time maintains the encoding correctly up to this stage.

    However, after calling this URL, the Symantic redirect reverts the encoding of the entire Click-time u parameter including the parameter q in the origingal URL. This results in an invalid URL containing e.g. / in the parameter.

    /TRACK/external/download?q=163334d25b97aa7596a919cac654db2171f7f7c32uaWAjdhh11toDgMfv3R6dxNIxHlCu/B8mOMm6ZhNtXs18tC6kIjZXxlVgRhpt0+xGFNoaPmqBKMIJqjf8gTCjgiXqkinnC+w+66NLt8tFVwT5NIC/im0mBgqeSeeIKWjVlEAcnXxsUEUZqBHg8toDIGL6eR3CF0B9MWLgFvx4W9Tp1JXdbgP1J4pRwwoDYyQL7ou46sLfL/F9u3j4O/K98sggPpUX09wlq2neUqchFGbYtxq3Jp6JpYFV+5RiiwEew5oSt5Bb7DFaT8NpgPP7LnP6nAV4c7kPGemo8+5ojCRsjwbVcrfKJQA1RvOaf
     

    From my view, this should be technically avoidable from Symantec side by maintaining the encoding of the original URL parameter.

    As currently all URLs are breaking, fast help would be very much appreciated.

    Many thanks,
    Matt