当前位置: 文江博客 话题详情

为什么我收到“从客户端检测到潜在危险的 Request.Form 值”?错误?

发布于 2024-11-05 10:45:51 字数 2983 浏览 3 评论 0 原文

我使用“Internet 应用程序”模板创建了一个新的 ASP.NET MVC 3 / .NET Framework 4.0 站点。我使用 Nuget 安装 Windows Azure Web Role (MVC3) 包并然后按照访问控制服务演练设置 Windows Live ID 和 Google 身份验证。

很快,我遇到了“从客户端检测到潜在危险的 Request.Form 值”错误,并按照 Windows Identity Foundation wiki 中的文章尝试解决该问题。不幸的是,我尝试过的任何方法都不起作用,包括:

  • Setting 在根 web.config 和 Views\web.config

  • SampleRequestValidator 从 WIF SDK 复制到项目中并设置 < web.configs 中的 httpRuntime requestValidationType="SampleRequestValidator"/>

我也尝试过这些变体但没有成功。

有什么想法吗?

这是完整的异常:

异常详细信息: System.Web.HttpRequestValidationException:从客户端检测到潜在危险的 Request.Form 值 (wresult=" ")。

描述:请求验证检测到潜在危险的客户端输入值,请求处理已中止。该值可能表明有人试图破坏应用程序的安全性,例如跨站点脚本攻击。要允许页面覆盖应用程序请求验证设置,请将 httpRuntime 配置部分中的 requestValidationMode 属性设置为 requestValidationMode="2.0"。示例:。设置此值后,您可以通过在 Page 指令或 配置部分中设置 validateRequest="false" 来禁用请求验证。但是,强烈建议您的应用程序在这种情况下显式检查所有输入。有关详细信息,请参阅 http://go.microsoft.com/fwlink/?LinkId=153133< /a>.

堆栈跟踪:

[HttpRequestValidationException (0x80004005):从客户端检测到潜在危险的 Request.Form 值 (wresult="")。 ]

System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +75
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +205
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request) +41
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +117
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
原文

I've created a new ASP.NET MVC 3 / .NET Framework 4.0 site using the "Internet Application" template. I used Nuget to install the Windows Azure Web Role (MVC3) package and then followed the Access Control Service walkthrough to set up Windows Live ID and Google authentication.

Soon enough, I came across the "A potentially dangerous Request.Form value was detected from the client" error and followed the article in the Windows Identity Foundation wiki to try and resolve it. Unfortunately nothing I've tried works, including:

  • Setting <httpRuntime requestValidationMode="2.0"/> and <pages validateRequest="false"> in both the root web.config and Views\web.config

  • Copying SampleRequestValidator from the WIF SDK into the project and setting <httpRuntime requestValidationType="SampleRequestValidator"/> in both web.configs

I've also tried variations of these without success.

Any ideas?

Here's the complete exception:

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").]

System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +75
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +205
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request) +41
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +117
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

忆伤 2024-11-12 10:45:51

您可以尝试使用 [ValidateInput(false)] 属性(通过将 保留在 <代码> web.config )。

You might try decorating the controller action you are posting to (and the one which throws this exception) with the [ValidateInput(false)] attribute (by leaving <httpRuntime requestValidationMode="2.0"/> in web.config).

回复 原文
红墙和绿瓦 2024-11-12 10:45:51

我也有同样的问题。

这是我的解决方案的一个示例:

 [ValidateInput(false)]

    public ActionResult *YourMethodName*(FormCollection forms)
    {
          // Encoded String
          string EncodedValue = Server.HtmlEncode(forms[*name or index*]);

         // Normal String 
         string value = forms[*name or index*]

         //.... 
    }

您的 webconfig 中不需要任何内容​​。

I had the same problem.

Here is an example of my solution:

 [ValidateInput(false)]

    public ActionResult *YourMethodName*(FormCollection forms)
    {
          // Encoded String
          string EncodedValue = Server.HtmlEncode(forms[*name or index*]);

         // Normal String 
         string value = forms[*name or index*]

         //.... 
    }

You don't need anything in your webconfig.

回复 原文
眼中杀气 2024-11-12 10:45:51

我在这里写了一篇小博客注释:http:// /erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/。无需关闭请求验证,或为整个站点将其设置为 2.0。

简而言之,您只需将 WIF 回发 SAML 令牌的特定 URL 上的 requestValidationMode 更改为 2.0 模式。这可以通过 web.config 中的元素(有关详细信息,请参阅位置元素(ASP.NET 设置架构))来完成,如下所示:

<location path="WIFHandler">
  <system.web>
    <httpRuntime requestValidationMode="2.0" />
  </system.web>
</location>

应用程序中不需要存在“WIFHandler”位置,因为 WIF 将缩短管道在 ASP.NET 尝试处理请求之前,将您重定向到返回 URL(SAML 令牌 POST 的 wctx 参数中的 ru)。

在 web.config 文件的 WIF 配置部分中,确保将“reply”参数与将请求验证模式设置为 2.0 模式的位置相匹配:

<microsoft.identityModel>
    <service>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" 
                      issuer="https://localhost/STS/" 
                      realm="https://localhost/MyApp/"
                      reply="https://localhost/MyApp/WIFHandler/" />

(...)

I wrote a small blog note on this here: http://erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/. It isn't necessary to turn off request validation, or set it to 2.0 for your entire site.

In short, you only need to alter the requestValidationMode to 2.0 mode on the specific URL that WIF posts back the SAML token to. This can be done with a element (see location Element (ASP.NET Settings Schema) for details) in your web.config, like this:

<location path="WIFHandler">
  <system.web>
    <httpRuntime requestValidationMode="2.0" />
  </system.web>
</location>

The “WIFHandler” location does not need to exist in your app, as WIF will shortcut the pipeline before ASP.NET tries to handle the request, and redirect you to the return url (ru in the wctx parameter of the SAML token POST) instead.

In your WIF configuration section of the web.config file, be sure to match the “reply” parameter with the location where you set request validation mode to 2.0 mode:

<microsoft.identityModel>
    <service>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" 
                      issuer="https://localhost/STS/" 
                      realm="https://localhost/MyApp/"
                      reply="https://localhost/MyApp/WIFHandler/" />

(...)
回复 原文
生生漫 2024-11-12 10:45:51

首先 - 缩小它的来源。使用 fiddler 调查哪个字段导致了问题。像这样简单的项目:

First - narrow where this is coming from. Use fiddler to investigate which field is causing the issue. Items as simple as: <s will cause this error when posted without being encoded. Also you may want to decorate your MODEL with the [AllowHtml] attribute and try not to enable 2.0 encoding - its a bit dangerous.

回复 原文
对风讲故事 2024-11-12 10:45:51

将 SampleRequestValidator 从 WIF SDK 复制到项目中并在两个 web.configs 中进行设置

这应该可以修复它。您能验证代码实际上正在执行吗?如果您在请求验证器中放置断点,它会命中吗?

我假设您将 放在 下,对吗?

Copying SampleRequestValidator from the WIF SDK into the project and setting in both web.configs

This should fix it. Can you verify the code is actually executing? If you place a breakpoint in the Request validator, does it hit?

I assume you put <httpRuntime...> under <system.web> right?

回复 原文
难理解 2024-11-12 10:45:51

我在这里没有看到任何答案提到这一点。就这样吧。

除了“[ValidateInput(false)]”之外,在您的 aspx 中,您可能还需要将其添加到您的 <%@Page ...> 中。

<%@ Page ValidateRequest="false">

这将允许在每个页面而不是整个 Web 应用程序上禁用请求验证。

I don't see any answer here mention this. so here it goes.

In addition to the " [ValidateInput(false)]", in your aspx, you might need to add this to your <%@Page ...>

<%@ Page ValidateRequest="false">

This would allow disabling request validation on a per page basis instead of the whole web app.

回复 原文
や三分注定 2024-11-12 10:45:51

我在学习“从 Active Directory 到 Windows Azure 应用程序的单点登录”教程时遇到了这个问题。就我而言,问题是我无意中将 值放置在错误的 部分中我的 web.config 文件(我最初没有注意到这一点,但有一个新的 部分,其路径为“FederationMetadata”,也包含 system.web。)。该值应放置在顶级 部分中。

I came across this problem when walking through the "Single Sign-On from Active Directory to a Windows Azure Application" tutorial. In my case, the problem was that I had inadvertently placed the <httpRuntime ... /> value in the wrong <system.web /> section in my web.config file (I didn't originally notice this, but there's a new <location> section with a path of "FederationMetadata" that also contains system.web.). The value should be placed in the top-level <system.web> section.

回复 原文
柒夜笙歌凉 2024-11-12 10:45:51

乍一看,它看起来像是 Azure Mvc3 库中的一个错误。 MVC 3 公开了特殊的 API,可让您从 Form 集合中检索未经验证的值,但该模块似乎没有使用它们。

At first glance it looks like a bug in the Azure Mvc3 library. MVC 3 exposes special APIs that let you retrieve unvalidated values from the Form collection, but the module does not seem to be using them.

回复 原文
北城孤痞 2024-11-12 10:45:51

我无法找到这不起作用的技术原因。然而,从业务需求的角度来看,这是我的特定解决方案所基于的错误示例,因为它会在访问任何页面之前提示进行身份验证。然而,对主页的访问需要匿名,因此可以使用“登录”按钮。

相反,我找到了满足这些要求的 MVC3 自定义登录示例要求并且有效。

I haven't been able to find the technical reason why this doesn't work. However from a business requirements perspective, this is the wrong sample to base my particular solution on because it prompts for authentication before any pages can be accessed. However access to the home page needs to be anonymous so a "Log On" button can be used.

Instead I found the MVC3 Custom Login Sample that meets these requirements and it works.

回复 原文
~没有更多了~

关于作者

耶耶耶

暂无简介

0 文章
0 评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

苦中寻乐

文章 0 评论 0

lueluelue

文章 0 评论 0

嗼ふ静

文章 0 评论 0

王权女流氓

文章 0 评论 0

与花如笺

文章 0 评论 0

残酷

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文