API tools faq
paste
Guest User

Untitled

a guest
Dec 18th, 2018
99
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.90 KB | None | 0 0
raw download clone embed print report
  1. <system.web>
  2. <httpRuntime maxUrlLength="10999" maxQueryStringLength="4096" />
  3.  
  4.  
  5. <system.webServer>
  6. <security>
  7. <requestFiltering>
  8. <requestLimits maxUrl="10999" maxQueryString="4096" />
  9. </requestFiltering>
  10. </security>
  11.  
  12. internal void ValidateInputIfRequiredByConfig() {
  13. // Do we need to enable request validation?
  14. RuntimeConfig config = RuntimeConfig.GetConfig(Context);
  15. HttpRuntimeSection runtimeSection = config.HttpRuntime;
  16.  
  17. //////////////////////////////////////////////////////////////////////
  18. // Perform Path & QueryString validation checks for non-state_server requests
  19. if (CanValidateRequest()) {
  20. string requestUrl = Path;
  21.  
  22. //////////////////////////////////////////////////////////////////
  23. // Verify the URL & QS lengths
  24. if (requestUrl.Length > runtimeSection.MaxUrlLength) {
  25. throw new HttpException(400, SR.GetString(SR.Url_too_long));
  26. }
  27. if (QueryStringText.Length > runtimeSection.MaxQueryStringLength) {
  28. throw new HttpException(400, SR.GetString(SR.QueryString_too_long));
  29. }
  30.  
  31. //////////////////////////////////////////////////////////////////
  32. // Verify that the URL does not contain invalid chars
  33. char [] invalidChars = runtimeSection.RequestPathInvalidCharactersArray;
  34. if (invalidChars != null && invalidChars.Length > 0) {
  35. int index = requestUrl.IndexOfAny(invalidChars);
  36. if (index >= 0) {
  37. string invalidString = new string(requestUrl[index], 1);
  38. throw new HttpException(400, SR.GetString(SR.Dangerous_input_detected,
  39. "Request.Path", invalidString));
  40. }
  41. _flags.Set(needToValidateCookielessHeader);
  42. }
  43. }
  44.  
  45. // only enable request validation for the entire pipeline in v4.0+ of the framework
  46. Version requestValidationMode = runtimeSection.RequestValidationMode;
  47. if (requestValidationMode == VersionUtil.Framework00) {
  48. // DevDiv #412689: <httpRuntime requestValidationMode="0.0" /> should suppress validation for
  49. // the entire request, even if a call to ValidateInput() takes place. The request path
  50. // characters and cookieless header (see 'needToValidateCookielessHeader') are still validated
  51. // if necessary. These can be suppressed via <httpRuntime requestPathInvalidChars="" />.
  52. _flags[requestValidationSuppressed] = true;
  53. }
  54. else if (requestValidationMode >= VersionUtil.Framework40) {
  55. ValidateInput();
  56.  
  57. // Mode v4.5+ implies granular request validation
  58. if (requestValidationMode >= VersionUtil.Framework45) {
  59. EnableGranularRequestValidation();
  60. }
  61. }
  62. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!