Is It An Acceptable Practice To Enable UnsafeHeaderParsing By Default
Dec 29, 2010
I manage an open source project called Quick and Dirty Feed Parser and the objective of the project is to make it as seamless as possible to consume RSS and Atom feeds in .NET.
I ran into fairly early on in the development of the project was that some of the feeds I was using as test cases (namely the Hacker News RSS feed) used improperly formatted HTTP headers, and the HttpWebRequest class in .NET 1.1 and up promptly throws an "unsafe header" exception whenever you receive one of these headers in a GET request.
This change was added in order to put a stop to split-response attacks that were raising security issues at the time .NET 1.1 was released.
I can enable the "useUnsafeHeader" configuration option programmatically, but it does it across ALL HttpWebRequests in that application's context. I have users who've complained about QD Feed Parser being unable to consume valid feeds, and this header issue is why.
Right now I have my library set up in such a way that developers who use it have to enable unsafe header parsing themselves, although most of them aren't aware that this is the problem and it creates a support overhead for me.
I can simply have Quick and Dirty Feed Parser enable unsafe header parsing by default and force security-concious users to disable it, but I don't want to open up users who don't know any better to security attacks either.
just wanna ask what is acceptable size of ViewState per page? What is the level I should start worried. Is there any objective measurement for viewstate size?
I'm working with a third party vendor at the moment who has supplied an ASP.Net web application. The web app generates around 200 unhandled exceptions per day, which end up as emails in my in-box. Upon investigation it turns out that most of these errors are triggered by the GoogleBot web crawler indexing the site and triggering access to another third party web service, which is rate-limiting the requests. When a request limit is exceeded, the third party web service refuses the request, this results in an unhandled exception in the web server and an HTTP/500 status code. The exception looks like this:
[code]....
The web app developer seems unwilling to handle these errors for reasons I don't really understand. Their approach is to throttle the GoogleBot until the errors stop happening (Google indexes quite aggressivley, generating around 5,000 hits per day). While I accept that throttling the GoogleBot would work, it seems like a cop-out to me. I've always considered unhandled exceptions to be bugs. Shouldn't the web app handle these errors? It is ever acceptable to allow an HTTP/500 to happen? What do the web developers out there think?
I have a ASP.NET MVC configuration, and I am building a reportgenerator. I am outputting a JQuery table, so that the user may sort and rearrange it, before fetching it as a PDF. My PDF component is .NET-based, and so I need to send the modified table back to the server via AJAX.
The problem is that the URI can get as large as 100k characters, making the server respond with a status of 414 (Request-URI Too Long). It seems that IIS does not allow URIs greater than some few thousand characters.
I admit that it seems strange to compose a URL that big, so I think I might be missing something. Is there another way to post the data to the server, or maybe possible to solve this in another way?
I am trying to secure very mixed content that is located in an ASP.NET directory. For purposes of this question, it can be ~/MyApp/.
I want all of the content in the directory and its subdirectories restricted to authenticated users. The default.aspx page, though, should be accessible to everyone. This is the web.config in that directory:
[Code]....
Now if you are an unauthenticated user, everything works fine if you request [code]....
The problem occurs in that visitors do not always request "Default.aspx". We have a default document configured so that they get Default.aspx even if they just request "/MyApp". An authenticated user works fine, but an unauthenticated user is directed to the login page.
Now I know that essentially this happens because even though the request for "/MyApp/" will actually end up serving up "/MyApp/Default.aspx", the security system is only checking for "/MyApp/" since that is what I requested. That is then getting the default security for the directory.
How can you configure an exception to allow access when no particular file is requested in the directory??
Is there some dependency between DefaultDocumentModule and UrlAuthorizationModule? In this environment, the UrlAuthorizationModule has been removed and re-added in order to make sure it fires for non-managed requests. I would not expect that to change the order of execution, though, since UrlAuthorizationModule usually goes after DefaultDocument.
A workaround could be to set up the opposite security with the directory being open, and then trying to secure individual files. Because of the (changing) number of files, and extensions, etc, and the fact that you cannot use wildcards in a <location>, this is not really a workable solution for me.
the default ASP.NET Forms Authentication cookie sets it's name as ".ASPXAUTH". Notice the first character is a period? Is there a particular reason for this? Like, does this have an impact on domain names or subdomains for the target domain.
Or is it purely some random thing an MS dev person came up with (maybe to help out the ordering of the cookies, when they were debugging or something .. as text with periods prolly get listed before other strings)?
I have a table that stores songs and plays counter. Here's the code:
//Increse plays counter string ip = Request.UserHostAddress; if (!string.IsNullOrEmpty(ip)) { if (Cache["plays:" + trackID + ":" + ip] == null) { tracks.IncreasePlaysCounter(trackID); Cache["plays:" + trackID + ":" + ip] = true; } }
I wonder what would be a better practice, store many cache items(like this) or store one item like a ArrayList that would contain the users who already heard that song. Is there any difference?
Is the classic way of using include files still the best practice in ASP.NET. IS there a better way in ASP.NET to simulate include files? IF not can someone please provide an example of the .NET way?
I am a beginner of C# programming. I have read a few books about C#.net. But I cannot find some exercises in the books. Someone told me to build up a blog to practice my coding.
But it is a huge task for a beginner. I just want some tasks to have a step by step learning process.
I just noticed that I can save a lot of spacing by not using "as" when declaring variables, in some cases (not sure if this is something new in VS2010). For example:
Dim Name as string = "Bob"
works the same as:
Dim Name = "Bob"
I prefer the latter as some of my type declarations can be very long due to the library I am working with, and omitting the types simplifies the lines and makes them more readable. I am wondering a few things:
1. Do the two methods function at all differently?
I want to reduce postback in one of my application page and use ajax instead. I used the WebMethod to do so.. I have a static WebMethod that needs to access the session variables and modify. and on the client side, i am calling this method using jQuery. I tried accessing the session as follows:
[WebMethod] public static void TestWebMethod() {
[code]...
The values are displayed correctly and seems to work.. but i would like to know if this practice is allowed as the method is a static methods and would like to know how it will behave if multiple people access the application.I would also like to know how developers do these kind of tasks in ASP if this is not the right method.
I'm curious as to whether there is a well known way to add a column to a SQL table as a global change in MVC 3.
"Global change" referring to adding a column from database to UI... can someone please outline the fundamental steps. (i.e., 1. add column in SQL table. 2. update .edmx (replace relative tables) 3. ...)
I just want to know the declaration of variables in a separate class file or declaring in the same aspx.cs file. the best practice of declaring the variables.
How can I consume a default WCF web service, right out of the box from VS 2010 in a default ASP.NET MVC project right out of the box from VS 2010?
I know how to start up the WCF web service and add the service reference in the ASP.NET MVC project. So what I want to know is exactly what code I shall write in the ASP.NET MVC project?
Is using an include file bad coding practice in asp.net? I am aware of master pages, etc. but it seems like in this case an old fashioned include file works best.I have a home page and I have an "all other" page. The all other page is my master page. I place the header include on the master page and at the top of the home page.
I'm currently using the fantastic DorkNozzle 'framework' for building a very basic blog in .NET.My first "self-taught" script is as follows, and is for solely retrieving SQL results.
I started removing part of a view into a partial so that it could be reused on another view. However, I got stuck because there are some JavaScript functions on the original view that call some of the functions that belong to the partial. It seems wrong to call functions that are defined on the partial from the containing view (and vice-versa). What is the best practice for this situation?
I wrote a schedule app -- in asp.net 3.5 -- used where I work to do all the scheduling, and it actually turned out quiet nice. The issue is, you can only schedule one employee at the time.Each job is one row in a database and equals one employee.We have a lot of jobs that involve multiple employees, so it would be much easier to create one entry that schedules 3 employees for the same job.I've looked at a lot of multi-select dropdowns and combo boxes. Here is what I would like some advice on.
If multi-select selects employee numbers 2202, 2403, and 3610...how is the best way to get that into the database?I'm thinking 2202, 2403, and 3610 get put into an array, and use a loop to add each entry into the database. The database stays the same, and when this gets posted, there are three new entries in the database, one for each of the employees.Am I thinking right or can maybe someone that has done this offer some insight to something that would work better?
I am long familiar with using the ASP.net GridView in ASP.net forms to display the contents of DataSet on a web page. What is the best practice for displaying the contents of the DataSet in ASP.net MVC? I can add the DataSet to my DataVew dictionary in my controller, but I'm unsure of how to display it in the View page.
