Re: Error

From: Jeff (jeff@kavera.com)
Date: 04/22/03

Next message: Bassel Tabbara [MSFT]: "Re: Setting Principal for HttpWorkerRequest"
Previous message: Terry: "Re: first two elements of UserData"
In reply to: Victor Garcia Aprea [MVP]: "Re: Error"
Next in thread: Victor Garcia Aprea [MVP]: "Re: Error"
Reply: Victor Garcia Aprea [MVP]: "Re: Error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Jeff" <jeff@kavera.com>
Date: Tue, 22 Apr 2003 10:54:01 -0700

A one line is not too hard.. sure and is this the same one
line you were talking about here:

"You should double check the decision of disabling this as
its usually not a good idea"

I am not trying to dog you but what I am hearing is:
1. This is an important security feature that should not
be disabled.
2. "It is no big deal, just one line to change in config
and you can run 1.1"

We are an established software company with real customers
and real products, the decision to disable any security
feature is a major decsion. We need to know exactly what
we face. It seems to me this is here for a reason, and
turning it off leaves our customers vulnerable to attack.
Yet leaving it on forces us to rewrite code that is
harmless just because this feature seems to be too broad
in what it filters and needs to be fixed.

So the bottom line is:
1. Risk customer attack (never)
2. Stay on 1.0
3. Rewrite tons of code.

I regret my choice for .NET now, this was not going to be
a MS effort and I pushed .NET. When the UNIX folks get
wind of this they will laugh and say "Ya dot.net only runs
if you turn off all the security". What a mistake.

>-----Original Message-----
>> This is a feature?
>Sure it is.
>
>> In our case we are storing a one
>> element xml chunk in a control and we are supposed to
>> disable a whole security level to do it?
>You're suppose to add a one line entry to your config
file if you want to
>disable this feature, I dont think this is too hard.
>
>> Talk about overkill.
>I don't see anything overkill here.
>
>> How about try again for a better
>> answer? Like how do we edit the list of things it
should
>> check?
>There is no list to edit. I could paste the docs here but
I dont see much
>sense in doing so. You could take a look at ASP.NET 1.1
docs to find out how
>this feature works, its really pretty simple.
>
>--
>Victor Garcia Aprea
>Microsoft MVP | ASP.NET
>
>>
>> >-----Original Message-----
>> >Its a new feature in ASP.NET v1.1, targeted to prevent
>> cross-site scripting
>> >attacks. Its enabled by default and thats why your site
>> stopped working.
>> >Basically what it does is to examine the Forms,
>> QueryString and Cookies
>> >collection for content considered dangerous (ie.
<script>
>> tags, etc), if any
>> >of these collections contain an item with "dangerous"
>> data, an exception is
>> >thrown and the request is aborted. It seems like the
data
>> you're posting
>> >contains content considered "dangerous" by ASP.NET and
>> that is why its
>> >aborting the request.
>> >
>> >--
>> >Victor Garcia Aprea
>> >Microsoft MVP | ASP.NET
>> >
>> >"Ashok" <abc@newsgroup.com> wrote in message
>> >news:O9DUCetADHA.3208@TK2MSFTNGP11.phx.gbl...
>> >> Thanks for your reply. Can you please explain more on
>> this.
>> >> Client request (vb app) had a POST with query string
>> parameters and was
>> >> working with .Net framework 1.0.
>> >> Stopped working when i upgraded to 1.1.
>> >>
>> >> "Victor Garcia Aprea [MVP]" <vga@NOobiesSPAM.com>
wrote
>> in message
>> >> news:egPpZJtADHA.33548@TK2MSFTNGP10.phx.gbl...
>> >> > Hi Askhok,
>> >> >
>> >> > You can disable this at the Page level by setting
the
>> RequestValidate
>> >> > attribute of the Page directive to false, ie:
>> >> > <% @Page RequestValidate="false" %>
>> >> >
>> >> > or at the application level by setting the
>> RequestValidate attribute of
>> >> the
>> >> > pages element to false, ie:
>> >> >
>> >> > <pages ValidateRequest="false">
>> >> >
>> >> > You should double check the decision of disabling
>> this as its usually
>> >not
>> >> a
>> >> > good idea,
>> >> >
>> >> > --
>> >> > Victor Garcia Aprea
>> >> > Microsoft MVP | ASP.NET
>> >> >
>> >> > "Ashok" <abc@newsgroup.com> wrote in message
>> >> > news:#1dSuDtADHA.3144@TK2MSFTNGP11.phx.gbl...
>> >> > > I get following error on server when i am trying
to
>> write file to
>> >> request
>> >> > > stream from client. Please help
>> >> > >
>> >> > > {System.Web.HttpRequestValidationException}
>> >> > > [System.Web.HttpRequestValidationException]:
>> >> > > {System.Web.HttpRequestValidationException}
>> >> > > HelpLink: Nothing
>> >> > > InnerException: Nothing
>> >> > > Message: "A potentially dangerous
Request.Form
>> value was detected
>> >> from
>> >> > > the client (?<?xml version="...="yes"?>
>> >> > > <myroot>)."
>> >> > > Source: "System.Web"
>> >> > > StackTrace: " at
>> System.Web.HttpRequest.ValidateString(String s,
>> >> > > String valueName, String collectionName)
>> >> > > at
>> >> > System.Web.HttpRequest.ValidateNameValueCollection
>> (NameValueCollection
>> >> > > nvc, String collectionName)
>> >> > > at System.Web.HttpRequest.get_Form()
>> >> > > at
System.Web.UI.Page.GetCollectionBasedOnMethod
>> ()
>> >> > > at System.Web.UI.Page.DeterminePostBackMode()
>> >> > > at System.Web.UI.Page.ProcessRequestMain()
>> >> > > at System.Web.UI.Page.ProcessRequest()
>> >> > > at System.Web.UI.Page.ProcessRequest
(HttpContext
>> context)
>> >> > > at
>> >> > >
>> >> >
>> >>
>>
>System.Web.CallHandlerExecutionStep.System.Web.HttpApplica
>> tion+IExecutionSte
>> >> > > p.Execute()
>> >> > > at System.Web.HttpApplication.ExecuteStep
>> (IExecutionStep step,
>> >> Boolean&
>> >> > > completedSynchronously)"
>> >> > > TargetSite:
>> {System.Reflection.RuntimeMethodInfo}
>> >> > >
>> >> > > thanks
>> >> > >
>> >> > >
>> >> > >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>

Next message: Bassel Tabbara [MSFT]: "Re: Setting Principal for HttpWorkerRequest"
Previous message: Terry: "Re: first two elements of UserData"
In reply to: Victor Garcia Aprea [MVP]: "Re: Error"
Next in thread: Victor Garcia Aprea [MVP]: "Re: Error"
Reply: Victor Garcia Aprea [MVP]: "Re: Error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Error
... for example I added this feature to our custom web app framework. ... any application will have stronger security settings right out of the box. ... risking the security of your customers websites. ... >>>>thrown and the request is aborted. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Error
... In ASP.NET 1.0 there was not built-in feature to do ... >> risking the security of your customers websites. ... >> RequestValidate ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Error
... for example I added this feature to our custom web app framework. ... > any application will have stronger security settings right out of the box. ... > risking the security of your customers websites. ... > RequestValidate ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Error
... I've just added an entry to my blog describing how this feature works ... > "You should double check the decision of disabling this as ... This is an important security feature that should not ... >>>>thrown and the request is aborted. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Automated e-mail report - annoying "A program is trying to access e-mail..." message
... An application that will do the same thing as disabling the ... And it describes how Outlook Express has this feature too, ... > The security dialogs that pop up when an application tries to access ...
(microsoft.public.outlook.general)