Brandon’s company had a lot of work to do, and not enough staff to do it, so they hired on some freelancers. They were careful about it, and felt like they’d hired some good people. One developer, in particular, was the kind of developer who not only understands the low-level Windows API, but actually knows how to use some of the undocumented corners of it to get things done.

Most of the module was pretty good, but when Brandon double checked on the method for escaping disallowed characters from a URL, he found some problems.

The function went character by character through the string, which was bad enough, but when it wanted to know if a certain character needed to be escaped or not, it called this function:

bool NeedEscape ( wchar_t c )
    switch ( c )
        case L'0': case L'1': case L'2': case L'3': case L'4':
        case L'5': case L'6': case L'7': case L'8': case L'9':
        case L'a': case L'b': case L'c': case L'd': case L'e':
        case L'f': case L'g': case L'h': case L'i': case L'j':
        case L'k': case L'l': case L'm': case L'n': case L'o':
        case L'p': case L'q': case L'r': case L's': case L't':
        case L'u': case L'v': case L'w': case L'x': case L'y':
        case L'z': case L'A': case L'B': case L'C': case L'D':
        case L'E': case L'F': case L'G': case L'H': case L'I':
        case L'J': case L'K': case L'L': case L'M': case L'N':
        case L'O': case L'P': case L'Q': case L'R': case L'S':
        case L'T': case L'U': case L'V': case L'W': case L'X':
        case L'Y': case L'Z': case L'-': case L'.': case L'_':
        case L'~':
            return false;
            return true;

While this freelancer may have been an expert on the undocumented Windows APIs, they didn’t quite know their way around the documented ones.

[Advertisement] Otter allows you to easily create and configure 1,000's of servers, all while maintaining ease-of-use, and granular visibility down to a single server. Find out more and download today!