当前位置: 文江博客话题详情

ASP.NET MVC 忽略内容长度?

发布于 2024-10-08 20:19:31 字数 567 浏览 0 评论 0原文

我在 ASP.NET MVC 中遇到了一些丢失发布数据的问题,这促使我研究 ASP.NET MVC 如何处理无效的内容长度。我原以为 MVC.NET 应该忽略内容长度无效的帖子,但事实似乎并非如此。

作为示例,尝试创建一个新的 ASP.NET MVC 2 Web 应用程序并将此操作添加到 HomeController:

public ActionResult Test(int userID, string text)
{
    return Content("UserID = " + userID + " Text = " + text);
}

尝试创建一个发布到上述操作的简单表单,运行 fiddler 并(使用“Request Builder”)修改原始数据,以便某些表单数据丢失(例如删除文本参数)。在执行请求之前,请记住取消选中“请求生成器”选项下的“修复内容长度标头”复选框,然后在上面的代码上设置断点并执行自定义 http 请求。

我发现该请求比正常情况要长得多(30 秒左右),但令我惊讶的是,控制器操作仍然处理该请求。有谁知道这是否是预期的行为,如果是,您会建议采取什么措施来防止无效的内容长度?

原文

I've been having some problems with missing post data in ASP.NET MVC which has lead me to investigate how ASP.NET MVC deals with invalid content lengths. I had presumed that a post with a invalid content length should be ignored by MVC.NET but this doesn't seem to be the case.

As an example, try creating a new ASP.NET MVC 2 web application and add this action to the HomeController:

public ActionResult Test(int userID, string text)
{
    return Content("UserID = " + userID + " Text = " + text);
}

Try creating a simple form that posts to the above action, run fiddler and (using "Request Builder") modify the raw data so that some of the form data is missing (e.g. remove the text parameter). Before executing the request, remember to un-tick the "Fix Content-Length header" checkbox under the Request Builder options then set a break point on the code above and execute the custom http request.

I find that the request takes a lot longer than normal (30 seconds or so) but to my amazement is still processed by the controllers action. Does anyone know if this is expected behavior and, if so, what would you recommend to safeguard against invalid content-lengths?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

对不⑦ 2024-10-15 20:19:31

ASP.NET 不会忽略 Content-Length 请求标头。考虑以下控制器操作作为示例,它只是回显 foo 参数:

[HttpPost]
public ActionResult Index(string foo)
{
    return Content(foo, "text/plain");
}

现在让我们向它发出一个有效的 POST 请求:

using (var client = new TcpClient("127.0.0.1", 2555))
using (var stream = client.GetStream())
using (var writer = new StreamWriter(stream))
using (var reader = new StreamReader(stream))
{
    writer.Write(
@"POST /home/index HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: localhost:2555
Content-Length: 10
Connection: close

foo=foobar");
    writer.Flush();
    Console.WriteLine(reader.ReadToEnd());
}

正如预期的那样,这将打印响应 HTTP 标头(这并不重要)并在我们有 foobar 主体。现在尝试减少请求的 Content-Length 标头:

POST /home/index HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: localhost:2555
Content-Length: 5
Connection: close

foo=foobar

这会在响应正文中返回单个 f。正如您所看到的,无效的 HTTP 请求可能会导致参数解析不正确。

ASP.NET does not ignore the Content-Length request header. Consider the following controller action as an example which simply echoes back the foo parameter:

[HttpPost]
public ActionResult Index(string foo)
{
    return Content(foo, "text/plain");
}

Now let's make a valid POST request to it:

using (var client = new TcpClient("127.0.0.1", 2555))
using (var stream = client.GetStream())
using (var writer = new StreamWriter(stream))
using (var reader = new StreamReader(stream))
{
    writer.Write(
@"POST /home/index HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: localhost:2555
Content-Length: 10
Connection: close

foo=foobar");
    writer.Flush();
    Console.WriteLine(reader.ReadToEnd());
}

As expected this prints the response HTTP headers (which are not important) and in the body we have foobar. Now try reducing the Content-Length header of the request:

POST /home/index HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: localhost:2555
Content-Length: 5
Connection: close

foo=foobar

Which returns a single f in the response body. So as you can see an invalid HTTP request could lead to incorrect parsing of the parameters.

回复 原文
~没有更多了~

关于作者

疯了

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

金兰素衣

文章 0 评论 0

ゃ人海孤独症

文章 0 评论 0

没有感情的刽子手

文章 0 评论 0

一枫情书

文章 0 评论 0

清晰传感

文章 0 评论 0

mb_XvqQsWhl

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文