问题
I manage a .NET webforms site which has had a strange issue since before I worked here. Every now and then it throws a System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (:) error email.
The error comes from random parts of random pages within the site and the last one I noticed had this entry against the CGI script_name:
SCRIPT_NAME /Scrienu_6 { border-style:none; }.SystemMenu_7 { background-color:
Looking at the rendered code for the page, it looks like a packet has been dropped near the head of the response and it's slicing off the end of the src portion of a script tag down to partway through an inline style block.
<script type="text/javascript" src="../Scripts/DisableTheScreen.js"></script>
<style type="text/css">
.floatingMenu
{
margin-top: 0px;
}
</style>
<link href="../App_Themes/siteTheme/Button.css" type="text/css" rel="stylesheet" />
<link href="../App_Themes/siteTheme/ConfirmBox.css" type="text/css" rel="stylesheet" />
<link href="../App_Themes/siteTheme/DisableBox.css" type="text/css" rel="stylesheet" />
<link href="../App_Themes/siteTheme/Panel.css" type="text/css" rel="stylesheet" />
<link href="../App_Themes/siteTheme/ResizableTextBox.css" type="text/css" rel="stylesheet" />
<link href="../App_Themes/siteTheme/Site.css" type="text/css" rel="stylesheet" />
<link href="../App_Themes/siteTheme/Tabs.css" type="text/css" rel="stylesheet" />
<style type="text/css">
.SystemMenu_0 { background- color:white;visibility:hidden;display:none;position:absolute;left:0px;top:0px; }
.SystemMenu_1 { color:White;font-weight:bold;text-decoration:none; }
.SystemMenu_2 { color:White;font-weight:bold; }
.SystemMenu_3 { }
.SystemMenu_4 { background-color:#004A80; }
.SystemMenu_5 { background-color:#004A80; }
.SystemMenu_6 { border-style:none; }
.SystemMenu_7 { background-color:#004A80; }
So that it winds up slicing a chnk out of the middle eg:
<script type="text/javascript" src="../Scri
enu_6 { border-style:none; }
.SystemMenu_7 { background-color:#004A80; }
I've seen packet drops do fun things with images and unloaded CSS files in the past, but I've never seen them carve bits out of the rendered page content. I've googled the issue quite a bit but have not found anything similar so not sure if I'm even looking for the right problem.
The issue has only fired 22 times in the last 5 months on a fairly high-use system, but it's probably happening more frequently than that since we only see an error if a call back to the server has been borked with characters deemed unsafe by the request validator.
So yeah, just wondering if anyone has any ideas about what I can do or look for to solve this? :)
This behavior was observed in IIS7/Win2k8. It has also reportedly been observed in IIS8/Win2k12 and IIS8/Win8.1. I have seen no evidence of this in IIS6/Win2k3. It was last reported by two different customers of mine around November 2013. Neither of the server environments had VisualStudio installed. .NET Framework 2.0, 3.5, and 4.5[1?] were installed in both server enviros.
I have requested logs and full specs from both customers, and one of them has responded and confirmed that the issue no longer occurs. Therefore I suspect that either an update or hotfix from Msft addressed it, that it was network-related and has been resolved, or that Cthulhu decided to torment somebody else. The other customer has not yet responded.
Surely somebody else besides the OP and these customers must have seen this behavior? It would be nice to find a definitive answer and associate this problem with a known fix if possible. (And you get a sweet 200 pts.. yay!)
回答1:
Does your request url has any *, This may lead to such situation.
**
<system.web>
<httpRuntime requestPathInvalidCharacters="<,>,%,&,:,\,?" />
</system.web>
**
you can add this to your web config to get it right
回答2:
It Could be the issue of the file up loader that hasn't been managed well.
And Other potentially dangerous request can come through if you are using any editor to upload content. you need to manage if this is the scenario. You can disable validation on that page where you are using Editor. You can describe the validation mode in web.config like this.
回答3:
Add
<pages validateRequest="false"/>
in web.config.
来源:https://stackoverflow.com/questions/18907524/block-of-html-missing-from-rendered-output