如何检查是否字符串将触发“检测到有潜在危险的Request.Form值...”错误字符串、检测到、危险、错误
类似于this问题但我不那么在乎什么字会/不会导致错误解雇。我更好奇的是什么方法,我可以打电话,检查自己,如果当前字符串将触发上述错误信息。
Similar to this question but I don't care so much about what characters will/won't cause the error to fire. I'm more curious as to what method I can call, to check for myself, if the current string will fire the above error message.
要给一点背景,我创建的随机密码,当用户忘记他们,需要复位。在它#近日,不幸的是,随机密码生成器意外创造了一个与&放大器。这导致该页面以打破,当用户试图登录它。
To give a bit of background, I'm creating random passwords when a user forgets theirs and needs a reset. Unfortunately, the random password generator "accidentally" created one with &# in it recently. This caused the page to break when the user tried to login with it.
正如很多帖子围绕这个话题, ValidateRequest = FALSE (或<的httpRuntime requestValidationMode =2.0/> 的.NET 4.0)可以用来关闭.NET检查这些漏洞,但我看不出有任何理由要失去这种额外的安全层,当我是一个创建字符串中的第地点。而只是告诉随机数发生器对一个不完整的名单重新随机化(< ,&放大器;#等)似乎不喜欢的干净的解决方案,所以我想用检查.NET是使用同样的方法。
As mentioned in plenty of posts around this topic, ValidateRequest=false (or <httpRuntime requestValidationMode="2.0" /> for .NET 4.0) can be used to turn off .NET checking for these exploits, but I don't see any reason to lose this extra layer of security when I'm the one creating the string in the first place. And simply telling the random generator to re-randomize on an incomplete list (<, &#, etc) doesn't seem like the cleanest solution so I'd like to use the same method of checking that .NET is using.
什么漏洞是问题,正在做什么,以防止他们的这里。
Microsoft's explanation of what exploits are in question and what is being done to guard against them here.
关于寻找一个叫做函数这家伙会谈 IsDangerousString 挖掘与反射后,但我没能找到这个功能来使用它。另外他指的是.NET 1.1和我一起工作的.NET 3.5
This guy talks about finding a function called IsDangerousString after digging in with Reflector, but I'm not able to find this function to use it. Also he's referring to .NET 1.1 and I'm working with .NET 3.5
推荐答案
这验证请求的ASP.NET类是 System.Web.CrossSiteScriptingValidation ,和你想的方法是 IsDangerousString 。不幸的是,这两个标记内部,所以你不能直接访问它们。您有几种选择:
The ASP.NET class that validates requests is System.Web.CrossSiteScriptingValidation, and the method you want is IsDangerousString. Unfortunately, both are marked internal, so you can't access them directly. You have several options:
选项1:拨打 IsDangerousString 通过反射。然而,微软可以随时更改的方法,它会破坏你的一个应用。
Option 1: Call IsDangerousString via Reflection. However, Microsoft could change the method at any time, which would break your applicaton.
选项2:反编译 IsDangerousString 并将其复制到自己的应用程序。请参见下面的code。
Option 2: Decompile IsDangerousString and copy it to your own application. See the code below.
选项3:呼叫Membership.GeneratePassword.这将返回这是保证通过请求验证的密码。
Option 3: Call Membership.GeneratePassword. This returns a password that is guaranteed to pass request validation.
从ASP.NET摘录 CrossSiteScriptingValidation 类(通过.NET反射):
Excerpts from the ASP.NET CrossSiteScriptingValidation class (via .NET Reflector):
private static char[] startingChars = new char[] { '<', '&' };
internal static bool IsDangerousString(string s, out int matchIndex)
{
matchIndex = 0;
int startIndex = 0;
while (true)
{
int num2 = s.IndexOfAny(startingChars, startIndex);
if (num2 < 0)
{
return false;
}
if (num2 == (s.Length - 1))
{
return false;
}
matchIndex = num2;
char ch = s[num2];
if (ch != '&')
{
if ((ch == '<') && ((IsAtoZ(s[num2 + 1]) || (s[num2 + 1] == '!')) || ((s[num2 + 1] == '/') || (s[num2 + 1] == '?'))))
{
return true;
}
}
else if (s[num2 + 1] == '#')
{
return true;
}
startIndex = num2 + 1;
}
}
private static bool IsAtoZ(char c)
{
return (((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')));
}
