.net 应用程序中的奇怪错误。 - Rijndael管理
在最近的负载测试中,我收到一些奇怪的“索引超出范围异常”
堆栈跟踪:
at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)
at System.Web.UI.Page.DecryptString(String s)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
我们没有使用场或集群,并且我没有在应用程序中使用任何加密技术。
看来这发生在 .Net 类的幕后。
我认为这与视图状态有关,但我不知道为什么会抛出这个问题。
有任何想法吗?
During a recent load test, I've been getting some strange "Index Out of Range Exception"
Stack trace:
at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)
at System.Web.UI.Page.DecryptString(String s)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
We are not using a farm or cluster, and I am not using any cryptography in the app.
It appears that this is happening in the behind the scenes .Net classes.
I figure this has something to do with viewstate, but I can't find out why this is being thrown.
Any Ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果有人发起帖子,应用程序将开始发送包含所有 500KB 视图状态的帖子。 回发进行到一半时,用户感到无聊并单击了其他内容。 浏览器仅用部分视图状态来切断回发。 服务器抛出一个错误,表示视图状态已中断。 我猜这是一个打开了视图状态加密功能的 2.0 应用程序。 解决方案是更积极地管理视图状态大小。
当恶意用户制作自定义回发响应时,更有可能发生事件验证异常,因此我认为这里不涉及事件验证。
If someone initiates a post, the application starts sending the post with all 500KBs of viewstate. Half way through postback, the user gets bored and clicks something else. The browser cuts off the postback with just part of the viewstate. The server throws an error that says the viewstate is borked. I would guess this is a 2.0 application with the viewstate encryption feature turned on. The solution is to manage viewstate size more aggressively.
Event validation exceptions are more likely to happen when a malicious user is crafting a custom postback response, so I don't think event validation is involved here.
只是猜测:您是否在网站上禁用了 EventValidation? 听起来好像有些东西正在尝试创建手动回发或以其他方式将数据直接插入到http请求的发布数据中,并且没有计算出viewstate字段的正确值。 这反过来又导致解密彻底失败。
打开 EventValidation 后,即使他们正确计算了所有内容,您也会收到异常,但至少这是一个有意义的异常。
Just a guess: have you disabled EventValidation on the site? Sounds like something is trying to create a manual postback or otherwise insert data directly into the http request's post data, and isn't calculated the correct value for the viewstate field. This in turn causes the decryption to fail spectacularly.
With EventValidation turned on you'll get an exception even if they calculate everything correctly, but at least it's a meaningful exception.