A potentially dangerous Request.Path value.... contains only alphanumerics and an underscore?_问答_开发者

A potentially dangerous Request.Path value.... contains only alphanumerics and an underscore?

开发者 https://www.devze.com 2023-04-12 17:16 出处：网络

I\'m aware of the normal causes of this issue, but what\'s wrong with this URL? http://res02.img.mem.com/individual/assets/2/2/7/1/2291722/20081027_112706_07.jpg?width=100

相关专题：asp.net

I'm aware of the normal causes of this issue, but what's wrong with this URL?

http://res02.img.mem.com/individual/assets/2/2/7/1/2291722/20081027_112706_07.jpg?width=100

Most of the time the request seem开发者_如何学Gos to execute correctly, but every several hours, the server logs a handful (1-3) of these errors and starts returning a 503 error with each request.

I wouldn't mind the warnings, but it's chronologically coinciding with the server crashing. The application is extremely simple, just returning and resizing images from a SAN. Another server with the same software works properly. (and said software powers thousands of other websites, many running on server farms).

The difference is that this server has FNCMode=2 to prevent ASP.NET from spawning millions of FileSystemWatchers across the network to monitor the SAN that the app (and images) reside on. (To avoid the BIOS Command Limit reached errors).

I've even analyzed a crash dump with WinDbg and SOS to no avail.

Ideas? I know I'm presenting potentially two separate issues here, but they are chronologically related.

A potentially dangerous Request.Path value was detected from the client (?).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Request information: 
    Request URL: http://res02.img.mem.com/individual/assets/2/2/7/1/2291722/20081027_112706_07.jpg?width=100 
    Request Path: /individual/assets/2/2/7/1/2291722/20081027_112706_07.jpg?width=100
    User host address: 174.37.137.143 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: IIS APPPOOL\ASP.NET v4.0 

Thread information: 
    Thread ID: 32 
    Thread account name: IIS APPPOOL\ASP.NET v4.0 
    Is impersonating: False 
    Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

It turns out the issues were unconnected. A handful of request URLs had URL-encoded the question mark, causing it to be parsed as part of the path instead of the querystring. After URL decoding, the request was caught by request validation.

The crashing issues seems to be due to an IIS threading bug, but we're still debugging that with MS.