stackoom
  简体   繁体   中英

Canceling request validation using HttpHandler on IIS 7

 原文  2008-11-13 14:26:35       c#/ .net/ asp.net/ iis/ iis-7

Question

I have an application that has to deal with getting "special" characters in its URL (like &, +, %, etc). When I'm sending a request to the application using these characters (of course I'm sending them escaped) I'm getting "Bad Request" response code with the message "ASP.NET detected invalid characters in the URL". Tracing the request shown me that the error was thrown from the "Authentication Module".

I've searched a bit and found that every page has a ValidateRequest and changing its value to false solves the problem. Unfortunately I'm using Httphandler. Does anyone know how to stop the request validation using http handler?

8 answers

solution1
 2  2010-06-23 09:40:18

I had the same problem and got it working by setting validateRequest="false" as well as requestValidationMode="2.0", like below. No registry edits. 

<system.web>
  <httpRuntime requestValidationMode="2.0" />
  ...
  <pages ... validateRequest="false" />
</system.web>

solution2
 2 ACCPTED  2009-01-28 01:28:20

I ran into the same problem (creating an IHttpHandler that needed to receive requests with special characters in the URL). I had to do two things to fix it:

  1. Create the following DWORD registration entry with a value of 1: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ASP.NET\\VerificationCompatibility

  2. In the web.config, set the allowDoubleEscaping attribute of the requestFiltering element to true.

solution3
 2  2011-10-13 15:37:55

Wholesale changes at the application or machine level were not acceptable to me. I only had one parameter that a client was sending incorrectly that I needed to scrub.

I found that when a request is made with html or other potentially dangerous items in the query string, you can scrub the string by using the context.Request.RawUrl and, once the query string is scrubbed, use context.RewritePath(scrubbedUrl) .

  1. First thing in the handler, get the context.Request.RawUrl
  2. Scrub the bad request RawUrl for bad input
  3. context.RewritePath(srubbedUrl)
  4. Profit

It seems like request validation only cares about accessing context.Request.Params[] , so if you scrub and rewrite path (to the same path) before the Params collection is accessed, you're golden.

solution4
 1  2010-05-04 11:06:07

Below solution worked for me- Create the following DWORD registration entry with a value of 1: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ASP.NET\\VerificationCompatibility

In the web.config , set the allowDoubleEscaping attribute of the requestFiltering element to true .

solution5
 0  2008-11-13 15:43:51

You can remove all the modules with 

<httpModules>
  <clear />
</httpModule>

to make the request get to your handler. Or maybe you can remove the specific modules that are stopping your request.

This is the list of modules loaded by default in ASP.NET 2.0 from here 

<httpModules>
     <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
     <add name="Session" type="System.Web.SessionState.SessionStateModule" />
     <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
     <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
     <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />
     <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
     <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
     <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />
     <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
     <add name="Profile" type="System.Web.Profile.ProfileModule" />
</httpModules>

solution6
 0  2008-11-19 03:59:14

How about this? 

<system.web>
    <pages validateRequest="false">
    </pages>
</system.web>

solution7
 0  2018-02-21 16:14:18

Since .NET Framework 4.5, you can use the Unvalidated property on HttpRequest or HttpRequestBase to access form, query string and URL data in a way that will not trigger request validation. If you avoid accessing these values in any other way (including in helper methods or other HTTP modules running in the same request), you will not require anything else to avoid request validation.

solution8
 -1  2008-11-13 14:34:44

You can set validateRequest to false in the pages section of the web.config. Maybe that works for HttpHandlers as well?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question HTTPHandler failing on IIS 7.5, using system.webserver Registering HttpHandler for IIS 7.0 httphandler intercept not working in IIS 7.0 Unable to map request to a Custom-Embedded-Resource-HttpHandler when my Mvc (kind of) application is hosted on IIS Gracefully Canceling An Ajax Request My HttpHandler doesn't work with a virtual directory in IIS7, but using cassini it does? Canceling search using a cancellationToken Redirect subfolder using HttpHandler forceIframeTransport and context.Request in HttpHandler IIS/HttpHandler: Get relative absolute path?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM