ASP.NET MVC AntiForgeryToken 的验证问题

发布于 2024-08-17 06:45:55 字数 485 浏览 6 评论 0原文

所以我有一个有趣的问题...我需要让我的 web 应用程序通过 IBM 应用程序扫描设备,然后才能将更改推送到生产环境。我的最新更改包括 ASP.NET MVC 中的 AntiForgeryToken。我测试过的每个浏览器都工作得很好,没有任何问题。但是当设备尝试提交表单时,它会收到验证错误。查看验证令牌,设备正在对帖子上的表单值进行 html 编码,因此字符串不匹配...它们如下所示:

cmiuJRHizXLPvlu9zHKmTwdJiHvq+n87CSJZkixkf/BLHayCPVITJhRCsWWirPWg - 从 cookie 中提取 cmiuJRHizXLPvlu9zHKmTwdJiHvq%2Bn87CSJZkixkf%2FBLHayCPVITJhRCsWWirPWg - 表单值

所以它将 + 转换为 %2B 和 / 转换为 %2F...以前有人见过这个吗?这是客户端浏览器的问题吗? AntiForgeryToken 是否会生成一个没有特殊字符的字符串,以便我可以通过此扫描获取我的应用程序?谢谢!

So I have an interesting problem... I'm required to get my webapp to pass through an IBM app scanning appliance before I can push my changes to production. My latest changes include the AntiForgeryToken in ASP.NET MVC. Every browser I've tested this on works just fine, no issues. But when the appliance tries to submit the form, it gets a validation error. Looking at the verification token, the appliance is doing an html encode on the form value on the post, so the strings don't match up... this is what they look like:

cmiuJRHizXLPvlu9zHKmTwdJiHvq+n87CSJZkixkf/BLHayCPVITJhRCsWWirPWg - pulled from the cookie
cmiuJRHizXLPvlu9zHKmTwdJiHvq%2Bn87CSJZkixkf%2FBLHayCPVITJhRCsWWirPWg - form value

So it's translating + to %2B and / to %2F... has anyone seen this before? Is this an issue for client browsers? And is there have AntiForgeryToken generate a string that has no special characters so I can get my app through this scan? Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

梦毁影碎の 2024-08-24 06:45:55

查看 MVC 代码,它似乎使用 RNGCryptoServiceProvider 来创建令牌。有趣的是,他们有一种方法可以替换对 cookie 名称不安全的字符(基本上是您在问题中指出的“+”和“/”),但它被标记为私有,我看不到它在哪里使用。

不幸的是,您无法从 AntiForgeryData 类派生自己的类,因为它是密封的。这是非常可悲的,因为这是你的问题的明显解决方案。

您可以基于 MVC 代码创建一个新属性并自行使用安全方法。它将违反 DRY,但自从 Microsoft 密封了该类以来,我没有找到解决方法。

Looking at the MVC code it appears that its using the RNGCryptoServiceProvider to create the token. Interestingly they have a method which replaces characters that are unsafe for cookie names (basically the "+" and "/" as you indicated in your question) but it is marked as private and I don't see where it gets used.

Unfortunately you cannot derive your own class from AntiForgeryData class because it is sealed. This is very sad because it was the obvious solution to your question.

You could possibly create a new attribute based on the MVC code and utilize the safety method yourself. It will violate DRY but I dont see a way around that since Microsoft sealed the class.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文