IE calls the client program

Original address

Https://msdn.microsoft.com/en-us/library/aa767914.aspx#app_reg

Registering an application to a URI Scheme

The about asynchronous pluggable protocols article describes what to develop handlers for Uniform Resource Identifier (URI) Schemes. In some cases, the it may is desirable to invoke another application to handle a custom URI scheme. To doing so, register the existing application as a URI pluggable protocol handler and associate it with the custom URI Schem E. Once the application have successfully launched, it can use command-line parameters to retrieve the URI of that launched it . These settings apply to pluggable protocol handlers launched from within Windows Internet Explorer and from Windows Explor Er using the Run ... command (Windows logo key+r).

Security Warning: Applications that handle URIs schemes must consider how to respond to malicious data. Because handler applications can receive data from untrusted sources, the URI and other parameter values passed to the app Lication may contain malicious data, attempts to exploit the handling application.

This topic contains the following sections:

• Registering the application handling the Custom URI Scheme
• Launching the Handler
• Security issues
• Example Pluggable Protocol Handler
• Related Topics

Registering the application handling the Custom URI Scheme

To register an application to handle a particular URI scheme, add a new key, along with the appropriate subkeys and values , to HKEY_CLASSES_ROOT. The root key must match the URI scheme is being added. For instance, to add a "alert:" scheme, add an alert key to HKEY_CLASSES_ROOT, as follows:

HKEY_CLASSES_ROOT      Alert URL Protocol = ""

Under this new key, the URL Protocol String value indicates that this key declares a custom pluggable Protocol ha Ndler. Without this key, the handler application would not launch. The value should is an empty string.

Keys should also be added for  DefaultIcon  and  Shell . The Default string value of the  DefaultIcon  key must is the file name to use as a icon for thi s new URI scheme. The string takes the form "path, IconIndex" with a maximum length of MAX_PATH. The name of the first key under the  Shell  key should is an action verb, such as  op En . Under this key, a  command  key or a  ddeexec  key indicate how the Handler should be invoked. The values under the  command  and  ddeexec  keys describe how to Launch the application handling the new protocol.

Finally, the Default string value should contain the display name of the new URI scheme. The following example shows how to register a application, Alert.exe in this case, to handle the alert scheme.

  HKEY_CLASSES_ROOT       alert         ( Default) = "Url:alert Protocol"         URL Protocol  = ""          DefaultIcon            ( Default) = "alert.exe,1"         Shell              Open                 Command                   (Default) = "C:\Program Files\alert\alert.exe" "%1" 

When a user clicks a link containing your custom URI scheme, Windows Internet Explorer launches the pluggable protocol Han Dler registered for that URI scheme. If the specified Open command specified in the registry contains a %1 parameter, Internet Explorer passe s the URI to the registered pluggable protocol handler application.

Launching the Handler

By adding the above settings to the registry, navigating to URIs such as alert:Hello%20World would cause a attempt to launch Alert.exe The complete URI is on the command line. Internet Explorer percent-decodes The URI, but the Windows Run ... command does not. If a URI contains percent-encoded spaces, it may have split across more than one argument on the command line.

For example, if the link above was followed through Internet Explorer, the command line would be:

"C:\Program files\alert\alert.exe" "Alert:hello World"

If this link was followed through Windows Explorer, the Windows Run command, or some other application, the Comman D Line would is:

"C:\Program files\alert\alert.exe" "Alert:hello%20world"

Because Internet Explorer would decode all percent-encoded octets in the URI before passing the resulting string to  ; ShellExecute, URIs such as alert:%3f?  will is given to the alert application pluggable protocol handler as  alert:?? . The handler won ' t know the first question mark was percent-encoded. To avoid the issue, pluggable protocol handlers and their associated URI scheme must not rely on encoding. IF encoding is necessary, protocol handlers should use another type of encoding that's compatible with URI syntax, such a S BASE64 encoding. Double percent-encoding is not a good solution either; If the application protocol URI isn ' t processed by Internet Explorer, it won't be decoded.

When ShellExecute executes the pluggable protocol handler with a Stringon the command line, any non-encoded spaces, quotes , and backslashes in the URI would be interpreted as part of the command line. This means if-C + + 's argc and argv to determine the arguments passed to your application, the string may Broken across multiple parameters. To mitigate this issue:

• Avoid spaces, quotes, or backslashes in your URI
• Quote the%1 in the registration ("%1" as written in the ' alert ' example registration)

However, avoidance doesn ' t completely solve the problem of quotes in the URI or a backslash at the end of the URI.

Security issues

As noted above, the string that's passed to a pluggable protocol handler might be broken across multiple parameters. Malicious parties could use additional quote or backslash characters to pass additional command line parameters. For this reason, pluggable protocol handlers should assume if any parameters on the command line could come from Malicio US parties, and carefully validate them. Applications that could initiate dangerous actions based on external data must first confirm those actions with the user. In addition, handling applications should is tested with URIs that is overly long or contain unexpected (or undesirable) Character Sequences.

For more information, please see Writing Secure Code.

Example Pluggable Protocol Handler

The following sample code contains a simple C # console application demonstrating one to implement a pluggable protocol Handler for the AlertURI scheme.

Using system;using system.collections.generic;using system.text;namespace alert{  class program  {    static String ProcessInput (string s)    {       //TODO Verify and validate the input        //string as appropriate for your applic ation.       return s;    }    static void Main (string[] args)    {      Console.WriteLine ("Alert.exe invoked with the following parameters.\r\n"); C11/>console.writeline ("Raw Command-Line: \n\t" + environment.commandline);      Console.WriteLine ("\n\narguments:\n");      foreach (string s in args)      {        Console.WriteLine ("\ T" + processinput (s));      }      Console.WriteLine ("\npress any key to continue ...");      Console.readkey ();}}}  

When invoked alert:"Hello%20World" with the URI (note extra quotes) from Internet Explorer, the program responds with:

Alert.exe invoked with the following parameters. Raw command-line:        "C:\Program files\alert\alert.exe" "Alert:" Hello World "" Arguments:        Alert:hello        Worldpress any key to continue ...

Related Topics

IE calls the client program