All geek questions in one place

Cancel request validation using HttpHandler in IIS 7

I have an application that needs to deal with getting "special" characters in its URL (like &, +,%, etc.). When I send a request to the application using these characters (of course, I send them with escaping), I get a "Bad request" response code with the message "ASP.NET detected invalid characters in the URL." The request trace showed me that the error was selected from the "authentication module".

I searched a bit and found that each page has a ValidateRequest and changes its value to false, solves the problem. Sorry, I'm using Httphandler. Does anyone know how to stop request validation using the http handler?

+3
source share
8 answers

I ran into the same problem (creating an IHttpHandler that was supposed to receive requests with special characters in the url). I had to do two things to fix this:

  • Create the following DWORD registry entry with a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility

  • In the web.config file, set the allowDoubleEscaping attribute of the requestFiltering element to true.

+2
source

Bulk changes at the application or machine level were unacceptable to me. I had only one parameter that the client sent incorrectly, which I needed to clear.

, html , context.Request.RawUrl , , context.RewritePath(scrubbedUrl).

  • , , context.Request.RawUrl
  • RawUrl
  • context.RewritePath(srubbedUrl)
  • Profit

, context.Request.Params[], , ( ) , Params, .

+2

- DWORD 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility

web.config allowDoubleEscaping requestFiltering true.

+1

, , validateRequest = "false", requestValidationMode = "2.0", . .

<system.web>
  <httpRuntime requestValidationMode="2.0" />
  ...
  <pages ... validateRequest="false" />
</system.web>
+1

<httpModules>
  <clear />
</httpModule>

. , , , .

, ASP.NET 2.0 

<httpModules>
     <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
     <add name="Session" type="System.Web.SessionState.SessionStateModule" />
     <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
     <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
     <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />
     <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
     <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
     <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />
     <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
     <add name="Profile" type="System.Web.Profile.ProfileModule" />
</httpModules>
0

?

<system.web>
    <pages validateRequest="false">
    </pages>
</system.web>
0

With the .NET Framework 4.5, you can use the property Unvalidatedin HttpRequestor HttpRequestBaseto access the form, request a string and URLs in a way that will not trigger a request check. If you avoid accessing these values ​​in any other way (including in helper methods or other HTTP modules working in the same request), you will not need anything else to avoid checking the request.

0
source

You can set validateRequest to false in the web.config page section. Maybe this works for HttpHandlers too?

-1
source

Source: https://habr.com/ru/post/1699513/

More articles:


All Articles