Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Strange ValidateInputIfRequiredByConfig error

I'm getting random exception caused by ValidateInputIfRequiredByConfig().

I don't have exact message, since our server is pt-BR, so error message is translated.

I know that this error can be thrown if user puts malicious code in input, ie example. But it's not case here.

I'm getting this one, requesting some images. Below some info from elmah.

HTTP_USER_AGENT:    GbPlugin
PATH_INFO:          /Content/images/BannerWelcome.jpg?1110311762734
PATH_TRANSLATED:    C:\inetpub\wwwroot\Content\images\BannerWelcome.jpg?1110311762734
REQUEST_METHOD:     GET
SCRIPT_NAME:        /Content/images/BannerWelcome.jpg?1110311762734

Application is ASP.NET MVC 3, running on Windows 2008, IIS 7.5

EDIT:

Exception message in pt-BR:

System.Web.HttpException
Um valor possivelmente perigoso Request.Path foi detectado no cliente (?).

System.Web.HttpException (0x80004005): Um valor possivelmente perigoso Request.Path foi detectado no cliente (?).
   em System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   em System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

EDIT:

Exception message in English: "A potentially dangerous value was detected from the client Request.Path"

EDIT 2:

I can't reproduce this error. As I know it is just in request to this image.

like image 204
Zote Avatar asked Nov 14 '11 16:11

Zote


2 Answers

<pages validateRequest="false" />

does not work in MVC3.

1) You have to explicitly put [ValidateRequest(false)] on each controller or action

2) If you use .NET4 this is not sufficient as there is a "bug/feature" in .NET4 which prevent [ValidateInput(false)] to work. You have to also disable requestPathInvalidCharacters,validateRequest and requestFiltering by using requestValidationMode of 2.0 :

<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
like image 185
Softlion Avatar answered Nov 12 '22 10:11

Softlion


I made three changes to solve this issue:

1)

<system.web>
    <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
     </system.web>

2)

<system.webServer>      
    <security>  <requestFiltering allowDoubleEscaping="true" /> </security>
    </system.webServer>

3) <pages validateRequest="false" />

like image 22
charles Avatar answered Nov 12 '22 09:11

charles