BDC Picker.aspx QueryString Triggers Firewall Security

The implementation of the BDC entity picker dialog (opened with the Browse button) can cause some firewall and security software to think a worm or sql injection attack is happening and block the traffic.

The manner in which properties and entity IDs are encoded into long query string values makes the urls appear to be injection attacks. On a particular client’s BDC application, the picker dialog used a url similar to the following:

http://domainname.org/_layouts/Picker.aspx?MultiSelect=False&CustomProperty=uU2hhcmVQb2ludC5Qb3J0YWwsIFZlcnNpb249MTIuMC4wLAF%2F%2FAQAAAAAAAA9QcmltYXJ5Q29sdW1uSWQQU3lzdGVtSW5zdGFuY2VAAA
AAAMAgAAAF9NaWNyb3NvZnQjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibG
ljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwUBAAAAPk1pYAEAAAD%2F%2F%23Jvc29mdC5TaGFyZVBvaW50LlBvcnRhbC5XZWJDb250cm9scy5JdGVtUGlja2
VyRXh0ZW5kZWREYXRhB
JZAhFbnRpdHlJZBNTZWNvbmRhcnlDb2x1bW
5zSWRzAAAABw8PDw8CAAAANw4AAAcOAAAIDgAACQMAAAAPAwAAAAAAA
AAPCwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
3D&EntitySeparator=%00&DialogTitle=Choose%20User&DialogImage=%2F_layouts%2Fimages%2Fbizpicker.gif&PickerDialogType=Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog%2C%20Microsoft.SharePoint.Portal%2C%20Version%3D12.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D71e9bce111e9429c&DefaultSearch=

Using the HTTP GET for this kind of thing is a bad idea, and I hope that Microsoft fixes this in the future.