从客户端检测到潜在危险的 Request.Path 值

发布于 2024-12-01 14:47:30 字数 3715 浏览 2 评论 0原文

我完全不知道为什么会出现这个错误。此错误的典型原因与尝试将 HTML 标记提交到文本字符串或类似的内容有关，但我没有做类似的事情。我认为这发生在一个简单的电子邮件地址的页面上。

这是我的验证模型...

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [RegularExpression(@"^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})$", ErrorMessage = "{0} must be a valid email address")]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}

这是我的脚本引用，因为错误似乎在 Scripts 目录中...

<script src="@Url.Content("~/Scripts/jquery-1.5.2.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/jquery.validate.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.unobtrusive-ajax.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/modernizr-1.7.min.js")" type="text/javascript"></script>

我最好的猜测是有人恶意地将一些无效脚本输入到电子邮件地址中，但我没有看到任何脚本Elmah 或 CodeSmith Insight 中存在指向我的任何代码的错误。我什至无法弄清楚这到底是在哪里发生的。

以下是错误...

从客户端检测到潜在危险的 Request.Path 值 (:)。 (/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a }),i.html(g)

System.Web.HttpException (0x80004005)：从客户端 (:) 检测到潜在危险的 Request.Path 值。在 System.Web.HttpRequest.ValidateInputIfRequiredByConfig() 在 System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

在 System.Web.HttpRequest.ValidateInputIfRequiredByConfig() 在 System.Web.HttpApplication+PipelineStepManager.ValidateHelper(HttpContext context)

路径中存在非法字符。

System.ArgumentException：路径中存在非法字符。在 System.IO.Path.CheckInvalidPathChars（字符串路径）在 System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str) 在System.Security.Permissions.FileIOPermission.AddPathList（FileIOPermissionAccess访问，AccessControlActions控制，String [] pathListOrig，布尔checkForDuplicates，布尔needFullPath，布尔copyPathList）在 System.Security.Permissions.FileIOPermission..ctor（FileIOPermissionAccess 访问，字符串路径）在 System.Web.InternalSecurityPermissions.PathDiscovery（字符串路径）在 System.Web.HttpRequest.get_PhysicalPath() 在 WebsitePanel.IIsModules.SecureFolders.context_OnEnter（对象发送者，EventArgs e）在 System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 在 System.Web.HttpApplication.ExecuteStep（IExecutionStep 步骤，Boolean&completedSynchronously）

在 System.IO.Path.CheckInvalidPathChars（字符串路径）在 System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str) 在System.Security.Permissions.FileIOPermission.AddPathList（FileIOPermissionAccess访问，AccessControlActions控制，String [] pathListOrig，布尔checkForDuplicates，布尔needFullPath，布尔copyPathList）在 System.Security.Permissions.FileIOPermission..ctor（FileIOPermissionAccess 访问，字符串路径）在 System.Web.InternalSecurityPermissions.PathDiscovery（字符串路径）在 System.Web.HttpRequest.get_PhysicalPath() 在 WebsitePanel.IIsModules.SecureFolders.context_OnEnter（对象发送者，EventArgs e）在 System.Web.HttpApplication+SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 在 System.Web.HttpApplication.ExecuteStep(IExecutionStep 步骤，Boolean&completedSynchronously)

更新 - 可能已解决 在绞尽脑汁地思考这个问题后，我在堆栈跟踪中看到了“WebsitePanel.IIsModules.SecureFolders”，这震撼了我的记忆。我记得在我的托管提供商上看到过一些有关安全文件夹的信息。这个功能隐藏在他们的控制面板中，根据该方法这是有意义的。我给他们发了电子邮件并要求他们禁用该模块。已经好几天没有出现这种情况了，所以我怀疑就是这样。

原文

I am at a complete loss for why I am getting this error. The typical cause of this error has to do with trying to submit HTML markup into a text string or something similar but I'm not doing anything like that. The page I think this is happening on takes in a simple email address.

Here is my model with validation...

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [RegularExpression(@"^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})$", ErrorMessage = "{0} must be a valid email address")]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}

Here are my script references because the error seems to be in the Scripts directory...

<script src="@Url.Content("~/Scripts/jquery-1.5.2.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/jquery.validate.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.unobtrusive-ajax.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/modernizr-1.7.min.js")" type="text/javascript"></script>

My best guess is that someone is maliciously entering some invalid script into the email address but I'm not seeing any errors in Elmah or CodeSmith Insight that points to any of my code. I can't even figure out where exactly this is happening.

And here are the errors...

A potentially dangerous Request.Path value was detected from the client (:). (/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g)

System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication+PipelineStepManager.ValidateHelper(HttpContext context)

Illegal characters in path.

System.ArgumentException: Illegal characters in path.
at System.IO.Path.CheckInvalidPathChars(String path)
at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str)
at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList)
at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path)
at System.Web.InternalSecurityPermissions.PathDiscovery(String path)
at System.Web.HttpRequest.get_PhysicalPath()
at WebsitePanel.IIsModules.SecureFolders.context_OnEnter(Object sender, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

at System.IO.Path.CheckInvalidPathChars(String path)
at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str)
at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList)
at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path)
at System.Web.InternalSecurityPermissions.PathDiscovery(String path)
at System.Web.HttpRequest.get_PhysicalPath()
at WebsitePanel.IIsModules.SecureFolders.context_OnEnter(Object sender, EventArgs e)
at System.Web.HttpApplication+SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

UPDATE - POSSIBLE RESOLVED
After racking my brain more on this I saw "WebsitePanel.IIsModules.SecureFolders" in the stack trace and that jarred my memory. I remember seeing something about secure folders on my hosting provider. This feature is buried in their control panel which would make sense based on the method. I emailed them and asked them to disable the module. It hasn't occurred for a few days so I suspect that was it.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

千年*琉璃梦 2024-12-08 14:47:31

看起来您在客户端提交电子邮件地址之前没有验证电子邮件地址。您可以使用以下代码来验证电子邮件地址。同时为电子邮件输入字段设置一个 maxlength 属性。

function validateEmail(email) 
{ 
 var re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\
".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA
-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ 
 return email.match(re) 
}

if(!validateEmail($("#emailAddress).val()){
     alert("Invalid email address");
}

Looks like you are not validating email address before it is submitted on the client side. You can use the below code to validate email address. At the same time set a maxlength attribute to email input fields.

function validateEmail(email) 
{ 
 var re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\
".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA
-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ 
 return email.match(re) 
}

if(!validateEmail($("#emailAddress).val()){
     alert("Invalid email address");
}

回复收藏 0 原文

吃素的狼 2024-12-08 14:47:31

ASP.NET MVC 已经具有 DataType 属性。您可以使用它代替正则表达式

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [DataType(DataType.EmailAddress)]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}

ASP.NET MVC already have DataType attribute. You can use this instead of Regular Expression

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [DataType(DataType.EmailAddress)]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}

回复收藏 0 原文

你曾走过我的故事 2024-12-08 14:47:30

由于异常表明请求路径中存在非法字符，更具体地说，冒号字符不正确 (:) = "从客户端检测到潜在危险的 Request.Path 值 (:)。"

您的请求似乎包含：

"(/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c= a}),i.html(g"

从客户端检测到潜在危险的 Request.Path 值 (:)。 (/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a }),i.html(g)

System.Web.HttpException (0x80004005)：从客户端 (:) 检测到潜在危险的 Request.Path 值。 System.Web.HttpRequest.ValidateInputIfRequiredByConfig() 在 System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

在 System.Web.HttpRequest.ValidateInputIfRequiredByConfig() 在 System.Web.HttpApplication+PipelineStepManager.ValidateHelper(HttpContext context)

中的非法字符小路。

回复收藏 0 原文

~没有更多了~