“潜在危险请求表”通用处理程序中的异常
我以前见过这个错误,但似乎无法解决它。在本例中,我有一个 ASHX 页面,它输出一个简单的 HTML 表单,其中包含一个可以在其中发布 XML 的文本框。当我尝试阅读表单时,我收到“潜在危险的 Request.Form 值...”。
由于它是通用处理程序,因此“ValidateRequest”属性不可用。但是我已经在 web.config 中定义了这个:
<location path="xml/MyGenericHandler.ashx">
<system.web>
<pages validateRequest="false" />
</system.web>
</location>
此代码段早于从 .NET 3.5 到 4.0 的迁移,所以我猜测这就是损坏的根源。
知道如何解决 ASHX 页面的此错误吗?
I've seen this error before but cannot seem to get around it. In this case, I have an ASHX page spitting out a simple HTML form with a textbox into which XML may be posted. When I try to read the form, I receive the "A potentially dangerous Request.Form value...".
Since it's a generic handler the "ValidateRequest" attribute isn't available. However I already had this defined in web.config:
<location path="xml/MyGenericHandler.ashx">
<system.web>
<pages validateRequest="false" />
</system.web>
</location>
This snippet predates a move from .NET 3.5 to 4.0 so I'm guessing that's where the breakage originated.
Any idea how to get around this error for ASHX pages?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
3.5-4.0 的变化让您感到震惊的是 ASP.NET 4.0 的一些增强的运行时安全功能。快速解决方法是应用以下属性:
不幸的是,这会打开 2.0 请求验证之前的所有页面,因此只有在攻击面相对较小的情况下我才会这样做。
The 3.5-4.0 change that clipped you was some stepped up runtime security features for ASP.NET 4.0. The quick fix is to apply the following attribute:
Unfortunately, that opens all pages up to 2.0 request validation, so I'd only do this if you've got a relatively small attack surface.
虽然不是直接回答您的问题,但我建议您阅读之前的文章。它确实为您提供了一种确保不引发错误的方法。从某种意义上说,这是一种冒险的方式,因为这意味着关闭基本保护。然而,答案是有充分理由的,并且它明确指出,只有当您绝对确定正在对所有输出进行编码时才应该实现它。
检测到潜在危险的 Request.Form 值客户端
作为旁注,我还建议使用 Microsoft Anti-Xss 库 而不是内置的 Server.HtmlEncode 函数。
但是,如果您可以修改 ashx,则更简单的解决方案是仅修改错误代码并添加“if”语句,以便在错误消息包含您要过滤的字符串时不记录错误。
While not a direct answer to your question, I would say to read this previous post. it does give you a way to ensure that the error is not thrown. It's a risky way in one sense, because it means turning off a basic protection. However, the answer is well-reasoned, and the it clearly states that you should only implement it when you're absolutely sure you're encoding all output.
A potentially dangerous Request.Form value was detected from the client
As a side note, I would also recommend using the Microsoft Anti-Xss Library rather than the built in Server.HtmlEncode functions.
However, if you can modify the ashx, a simpler solution would be to just modify the error code and add an "if" statement to not log errors if the error message contains the string you want to filter.
您最好仅对处理程序页面禁用验证:
或者在处理程序中使用此属性以避免触发异常:
You'd better disable validation for you handler page only:
Or use this property from within your handler to avoid triggering the exception: