Is It An Acceptable Practice To Enable UnsafeHeaderParsing By Default
Dec 29, 2010
I manage an open source project called Quick and Dirty Feed Parser and the objective of the project is to make it as seamless as possible to consume RSS and Atom feeds in .NET.
I ran into fairly early on in the development of the project was that some of the feeds I was using as test cases (namely the Hacker News RSS feed) used improperly formatted HTTP headers, and the HttpWebRequest class in .NET 1.1 and up promptly throws an "unsafe header" exception whenever you receive one of these headers in a GET request.
This change was added in order to put a stop to split-response attacks that were raising security issues at the time .NET 1.1 was released.
I can enable the "useUnsafeHeader" configuration option programmatically, but it does it across ALL HttpWebRequests in that application's context. I have users who've complained about QD Feed Parser being unable to consume valid feeds, and this header issue is why.
Right now I have my library set up in such a way that developers who use it have to enable unsafe header parsing themselves, although most of them aren't aware that this is the problem and it creates a support overhead for me.
I can simply have Quick and Dirty Feed Parser enable unsafe header parsing by default and force security-concious users to disable it, but I don't want to open up users who don't know any better to security attacks either.
View 2 Replies
Similar Messages:
May 27, 2010
just wanna ask what is acceptable size of ViewState per page? What is the level I should start worried. Is there any objective measurement for viewstate size?
View 6 Replies
Jul 20, 2010
I'm working with a third party vendor at the moment who has supplied an ASP.Net web application. The web app generates around 200 unhandled exceptions per day, which end up as emails in my in-box. Upon investigation it turns out that most of these errors are triggered by the GoogleBot web crawler indexing the site and triggering access to another third party web service, which is rate-limiting the requests. When a request limit is exceeded, the third party web service refuses the request, this results in an unhandled exception in the web server and an HTTP/500 status code. The exception looks like this:
[code]....
The web app developer seems unwilling to handle these errors for reasons I don't really understand. Their approach is to throttle the GoogleBot until the errors stop happening (Google indexes quite aggressivley, generating around 5,000 hits per day). While I accept that throttling the GoogleBot would work, it seems like a cop-out to me. I've always considered unhandled exceptions to be bugs. Shouldn't the web app handle these errors? It is ever acceptable to allow an HTTP/500 to happen? What do the web developers out there think?
View 6 Replies
Jul 9, 2010
a.aspx
10 user control "user-control.ascx"
user-control.ascx
8 dropdownlist using AccessDataSource to reciece data.
It cause 8 sec when a.aspx was completely loaded as i am running localhost enviroment.
If i remove all the dropdownlist databinding, the speed is acceptable.
I though the connection to database is 8 X 10 = 80 times, so it cause a long time.
View 3 Replies
Nov 18, 2010
I have a ASP.NET MVC configuration, and I am building a reportgenerator. I am outputting a JQuery table, so that the user may sort and rearrange it, before fetching it as a PDF. My PDF component is .NET-based, and so I need to send the modified table back to the server via AJAX.
The problem is that the URI can get as large as 100k characters, making the server respond with a status of 414 (Request-URI Too Long). It seems that IIS does not allow URIs greater than some few thousand characters.
I admit that it seems strange to compose a URL that big, so I think I might be missing something. Is there another way to post the data to the server, or maybe possible to solve this in another way?
View 2 Replies
Jan 5, 2010
Is it acceptable to cache an instance of the database connection on application start?
Looking at the MSDN documentation on thread safety, I quote:
Any public static [...] members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Given that, is it acceptable/safe for code such as this example below:
[code]...
View 1 Replies
Feb 28, 2010
I have the following code snippet :
[Code]....
With code behind :[Code]....
Why do I have to press the "Enable" button twice to enable a disabled ComboBox ?
View 1 Replies
Jan 19, 2011
I am trying to secure very mixed content that is located in an ASP.NET directory. For purposes of this question, it can be ~/MyApp/.
I want all of the content in the directory and its subdirectories restricted to authenticated users. The default.aspx page, though, should be accessible to everyone. This is the web.config in that directory:
[Code]....
Now if you are an unauthenticated user, everything works fine if you request [code]....
The problem occurs in that visitors do not always request "Default.aspx". We have a default document configured so that they get Default.aspx even if they just request "/MyApp". An authenticated user works fine, but an unauthenticated user is directed to the login page.
Now I know that essentially this happens because even though the request for "/MyApp/" will actually end up serving up "/MyApp/Default.aspx", the security system is only checking for "/MyApp/" since that is what I requested. That is then getting the default security for the directory.
How can you configure an exception to allow access when no particular file is requested in the directory??
Is there some dependency between DefaultDocumentModule and UrlAuthorizationModule? In this environment, the UrlAuthorizationModule has been removed and re-added in order to make sure it fires for non-managed requests. I would not expect that to change the order of execution, though, since UrlAuthorizationModule usually goes after DefaultDocument.
A workaround could be to set up the opposite security with the directory being open, and then trying to secure individual files. Because of the (changing) number of files, and extensions, etc, and the fact that you cannot use wildcards in a <location>, this is not really a workable solution for me.
View 1 Replies
Mar 21, 2011
the default ASP.NET Forms Authentication cookie sets it's name as ".ASPXAUTH". Notice the first character is a period? Is there a particular reason for this? Like, does this have an impact on domain names or subdomains for the target domain.
Or is it purely some random thing an MS dev person came up with (maybe to help out the ordering of the cookies, when they were debugging or something .. as text with periods prolly get listed before other strings)?
View 2 Replies
Aug 13, 2010
I have a table that stores songs and plays counter.
Here's the code:
//Increse plays counter
string ip = Request.UserHostAddress;
if (!string.IsNullOrEmpty(ip))
{
if (Cache["plays:" + trackID + ":" + ip] == null)
{
tracks.IncreasePlaysCounter(trackID);
Cache["plays:" + trackID + ":" + ip] = true;
}
}
I wonder what would be a better practice, store many cache items(like this) or store one item like a ArrayList that would contain the users who already heard that song. Is there any difference?
View 2 Replies
Jun 14, 2010
Is the classic way of using include files still the best practice in ASP.NET. IS there a better way in ASP.NET to simulate include files? IF not can someone please provide an example of the .NET way?
View 5 Replies
Sep 16, 2010
I am a beginner of C# programming. I have read a few books about C#.net. But I cannot find some exercises in the books. Someone told me to build up a blog to practice my coding.
But it is a huge task for a beginner. I just want some tasks to have a step by step learning process.
View 3 Replies
Oct 20, 2010
I just noticed that I can save a lot of spacing by not using "as" when declaring variables, in some cases (not sure if this is something new in VS2010). For example:
Dim Name as string = "Bob"
works the same as:
Dim Name = "Bob"
I prefer the latter as some of my type declarations can be very long due to the library I am working with, and omitting the types simplifies the lines and makes them more readable. I am wondering a few things:
1. Do the two methods function at all differently?
2. Is this a bad practice, or generally excepted?
3. Is there a name for this?
View 1 Replies
May 15, 2010
I want to reduce postback in one of my application page and use ajax instead. I used the WebMethod to do so.. I have a static WebMethod that needs to access the session variables and modify. and on the client side, i am calling this method using jQuery. I tried accessing the session as follows:
[WebMethod]
public static void TestWebMethod()
{
[code]...
The values are displayed correctly and seems to work.. but i would like to know if this practice is allowed as the method is a static methods and would like to know how it will behave if multiple people access the application.I would also like to know how developers do these kind of tasks in ASP if this is not the right method.
View 1 Replies
Apr 27, 2010
1) All users can browse open web site content.
2) To access memebrs area users must login.
3) Users can create , edit/update, delete there profile/information only.
4) Users can see / view other users profiles.
5) Admin can browse, create, edit/update, delete an any profiles.
I found many different ways to implement it, but what the best practice. May be you can point me in right direction.
Application Web based, MsSQL 2005, .NET 3.5, Server 2003.
View 1 Replies
Feb 19, 2011
vs2010 (express)
.net 4.0
SQL 2008 (express)
MVC 3
C#
Entity Framework
I'm curious as to whether there is a well known way to add a column to a SQL table as a global change in MVC 3.
"Global change" referring to adding a column from database to UI... can someone please outline the fundamental steps.
(i.e., 1. add column in SQL table. 2. update .edmx (replace relative tables) 3. ...)
View 4 Replies
Oct 7, 2010
I just want to know the declaration of variables in a separate class file or declaring in the same aspx.cs file. the best practice of declaring the variables.
View 3 Replies
Mar 31, 2011
How can I consume a default WCF web service, right out of the box from VS 2010 in a default ASP.NET MVC project right out of the box from VS 2010?
I know how to start up the WCF web service and add the service reference in the ASP.NET MVC project. So what I want to know is exactly what code I shall write in the ASP.NET MVC project?
View 3 Replies
Mar 18, 2010
Is using an include file bad coding practice in asp.net? I am aware of master pages, etc. but it seems like in this case an old fashioned include file works best.I have a home page and I have an "all other" page. The all other page is my master page. I place the header include on the master page and at the top of the home page.
<!--#include file="inc/inc_header.aspx"-->
View 11 Replies
Jan 19, 2011
I'm currently using the fantastic DorkNozzle 'framework' for building a very basic blog in .NET.My first "self-taught" script is as follows, and is for solely retrieving SQL results.
PHP Code:
<%@ Page Language="C#" MasterPageFile="~/Dorknozzle.master" AutoEventWireup="true" Title="Blog" %>
<%@ Import Namespace = "System.Data.SqlClient" %>
<script runat="server">[code]....
I should change to perhaps improve my coding style, without going down the MVC line just yet?
View 17 Replies
Feb 25, 2010
I started removing part of a view into a partial so that it could be reused on another view. However, I got stuck because there are some JavaScript functions on the original view that call some of the functions that belong to the partial. It seems wrong to call functions that are defined on the partial from the containing view (and vice-versa). What is the best practice for this situation?
View 3 Replies
Jul 22, 2010
I wrote a schedule app -- in asp.net 3.5 -- used where I work to do all the scheduling, and it actually turned out quiet nice. The issue is, you can only schedule one employee at the time.Each job is one row in a database and equals one employee.We have a lot of jobs that involve multiple employees, so it would be much easier to create one entry that schedules 3 employees for the same job.I've looked at a lot of multi-select dropdowns and combo boxes. Here is what I would like some advice on.
If multi-select selects employee numbers 2202, 2403, and 3610...how is the best way to get that into the database?I'm thinking 2202, 2403, and 3610 get put into an array, and use a loop to add each entry into the database. The database stays the same, and when this gets posted, there are three new entries in the database, one for each of the employees.Am I thinking right or can maybe someone that has done this offer some insight to something that would work better?
View 5 Replies
Jul 12, 2010
I am long familiar with using the ASP.net GridView in ASP.net forms to display the contents of DataSet on a web page. What is the best practice for displaying the contents of the DataSet in ASP.net MVC? I can add the DataSet to my DataVew dictionary in my controller, but I'm unsure of how to display it in the View page.
View 2 Replies
Feb 28, 2010
I want to know what best practice is for accessing settings in config file when you have dev/test/production types.
If you have different config for each type when you publish a ASP.NET website doesn't the config get copied as well??
View 3 Replies
Apr 20, 2010
I'm using oracle for my asp.net website. In website I have 3 different roles. Now do I need to create as many diff users in oracle as roles?
Someone in team insisted on having as many users in oracle. But then unnecessarily i have to maintain multiple connection strings in app.
like, I have manager/ team leader/ user roles.
Now the team member insists on having 3 users in oracle. then in DAL i've to check role and use corresponding connection string.
This is not very big app, but in all 12-15 aspx pages and some 10 table in oracle to be used only on intranet.
what is best practice for this?
View 2 Replies
