Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <system.web>
- <httpRuntime maxUrlLength="10999" maxQueryStringLength="4096" />
- <system.webServer>
- <security>
- <requestFiltering>
- <requestLimits maxUrl="10999" maxQueryString="4096" />
- </requestFiltering>
- </security>
- internal void ValidateInputIfRequiredByConfig() {
- // Do we need to enable request validation?
- RuntimeConfig config = RuntimeConfig.GetConfig(Context);
- HttpRuntimeSection runtimeSection = config.HttpRuntime;
- //////////////////////////////////////////////////////////////////////
- // Perform Path & QueryString validation checks for non-state_server requests
- if (CanValidateRequest()) {
- string requestUrl = Path;
- //////////////////////////////////////////////////////////////////
- // Verify the URL & QS lengths
- if (requestUrl.Length > runtimeSection.MaxUrlLength) {
- throw new HttpException(400, SR.GetString(SR.Url_too_long));
- }
- if (QueryStringText.Length > runtimeSection.MaxQueryStringLength) {
- throw new HttpException(400, SR.GetString(SR.QueryString_too_long));
- }
- //////////////////////////////////////////////////////////////////
- // Verify that the URL does not contain invalid chars
- char [] invalidChars = runtimeSection.RequestPathInvalidCharactersArray;
- if (invalidChars != null && invalidChars.Length > 0) {
- int index = requestUrl.IndexOfAny(invalidChars);
- if (index >= 0) {
- string invalidString = new string(requestUrl[index], 1);
- throw new HttpException(400, SR.GetString(SR.Dangerous_input_detected,
- "Request.Path", invalidString));
- }
- _flags.Set(needToValidateCookielessHeader);
- }
- }
- // only enable request validation for the entire pipeline in v4.0+ of the framework
- Version requestValidationMode = runtimeSection.RequestValidationMode;
- if (requestValidationMode == VersionUtil.Framework00) {
- // DevDiv #412689: <httpRuntime requestValidationMode="0.0" /> should suppress validation for
- // the entire request, even if a call to ValidateInput() takes place. The request path
- // characters and cookieless header (see 'needToValidateCookielessHeader') are still validated
- // if necessary. These can be suppressed via <httpRuntime requestPathInvalidChars="" />.
- _flags[requestValidationSuppressed] = true;
- }
- else if (requestValidationMode >= VersionUtil.Framework40) {
- ValidateInput();
- // Mode v4.5+ implies granular request validation
- if (requestValidationMode >= VersionUtil.Framework45) {
- EnableGranularRequestValidation();
- }
- }
- }
Add Comment
Please, Sign In to add comment