一个潜在危险的Request.Path值....只包含字母数字和下划线？ [英] A potentially dangerous Request.Path value.... contains only alphanumerics and an underscore?

问题描述

我知道这个问题的正常原因，但这个网址有什么问题？

I'm aware of the normal causes of this issue, but what's wrong with this URL?

http://res02.img.mem.com/individual/assets/2/ 2/7/1 / 2291722 / 20081027_112706_07.jpg?width = 100

大多数情况下，请求似乎正确执行，但每隔几个小时，服务器记录少数（1-3）这些错误，并开始每次请求返回503错误。

Most of the time the request seems to execute correctly, but every several hours, the server logs a handful (1-3) of these errors and starts returning a 503 error with each request.

我不介意警告，但它按时间顺序重合服务器崩溃。该应用程序非常简单，只需从SAN返回和调整图像大小。具有相同软件的另一台服务器正常工作。 （并且所述软件为数千个其他网站提供支持，许多网站在服务器群上运行）。

I wouldn't mind the warnings, but it's chronologically coinciding with the server crashing. The application is extremely simple, just returning and resizing images from a SAN. Another server with the same software works properly. (and said software powers thousands of other websites, many running on server farms).

不同之处在于此服务器具有FNCMode = 2，以防止ASP.NET在网络上产生数百万个FileSystemWatcher，以监控应用程序（和映像）所在的SAN上。 （避免BIOS命令限制达到错误）。

The difference is that this server has FNCMode=2 to prevent ASP.NET from spawning millions of FileSystemWatchers across the network to monitor the SAN that the app (and images) reside on. (To avoid the BIOS Command Limit reached errors).

我甚至用WinDbg和SOS分析了崩溃转储无济于事。

I've even analyzed a crash dump with WinDbg and SOS to no avail.

想法？我知道我在这里提出了两个不同的问题，但它们是按时间顺序排列的。

Ideas? I know I'm presenting potentially two separate issues here, but they are chronologically related.

A potentially dangerous Request.Path value was detected from the client (?).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Request information: 
    Request URL: http://res02.img.mem.com/individual/assets/2/2/7/1/2291722/20081027_112706_07.jpg?width=100 
    Request Path: /individual/assets/2/2/7/1/2291722/20081027_112706_07.jpg?width=100
    User host address: 174.37.137.143 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: IIS APPPOOL\ASP.NET v4.0 

Thread information: 
    Thread ID: 32 
    Thread account name: IIS APPPOOL\ASP.NET v4.0 
    Is impersonating: False 
    Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

推荐答案

事实证明问题没有联系。少数请求URL对问号进行URL编码，使其作为路径的一部分而不是查询字符串进行解析。在URL解码之后，请求被请求验证捕获。

It turns out the issues were unconnected. A handful of request URLs had URL-encoded the question mark, causing it to be parsed as part of the path instead of the querystring. After URL decoding, the request was caught by request validation.

崩溃问题似乎是由于IIS线程错误，但我们仍在使用MS进行调试。

The crashing issues seems to be due to an IIS threading bug, but we're still debugging that with MS.

这篇关于一个潜在危险的Request.Path值....只包含字母数字和下划线？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！