A potentially dangerous querystring ... [ValidateRequest]

[Boris]

All,
When i use .net FRamework 1.1, for my web application, i get an error
saying "A potentially dangerous querystring was detected from the
client...."
I have read the posts related to this and it seems this is due to some
SECURITY FEATURE in 1.1!!!

My code used to work in 1.0!!! now when the web server gets upgraded
to 1.1, my app. breaks.

So, If i introduce a validateRequest= false in Web.config, i can
overcome this error without ANY Code change.

BUT unfortunately, assume this scenario for me..I have 2 deployment
servers ServerA [with framework 1.1 installed] and Server B [ for some
reason has not upgraded to 1.1 as of now.] [which means i must
continue to support both 1.0 and 1.1 for sometime now].

So with this change in 1.1, does this mean that i cannot have one
"common Web.config" which i cannot deploy in both Server A and Server
B?
Because the Web.config in ServerB will complain on detecting a
validaterequest tag.

So to wrap my problem....Is there any way to include
"validateRequest=false" in web.config, but still allow 1.0 to compile
correctly?

Or the only way is to have seperate web.config for 1.0 and 1.1?


Thanks in advance
Ben

 

[Scott Mitchell [MVP]]

So to wrap my problem....Is there any way to include

"validateRequest=false" in web.config, but still allow 1.0 to compile
correctly?

Ben, I've not tries this, but I believe it will work (although it may
not have the exact effect you're after). You could tweak the
machine.config for 1.1 to include the validateRequest=false. Therefore,
you wouldn't have to fiddle with the Web.config.

Of course the issue here is two-fold:

(1) You must have access to the Web server's machine.config
(2) You will be affecting the default validateRequest setting for ALL
Web sites using ASP.NET 1.1 on the box

But, for your situation, it might be of use. Hope this helps.

--

Scott Mitchell
(e-mail address removed)
http://www.4GuysFromRolla.com
http://www.ASPFAQs.com
http://www.ASPMessageboard.com

* When you think ASP, think 4GuysFromRolla.com!

 

[Ken Schaefer]

Alternatively, is there any way to get the server running v1.1 to go back
to running v1.0 (I suppose, talk to your administrator) until the server
running v1.0 can be upgraded to v1.1?

Cheers
Ken

: > So to wrap my problem....Is there any way to include
: > "validateRequest=false" in web.config, but still allow 1.0 to compile
: > correctly?
:
: Ben, I've not tries this, but I believe it will work (although it may
: not have the exact effect you're after). You could tweak the
: machine.config for 1.1 to include the validateRequest=false. Therefore,
: you wouldn't have to fiddle with the Web.config.
:
: Of course the issue here is two-fold:
:
: (1) You must have access to the Web server's machine.config
: (2) You will be affecting the default validateRequest setting for ALL
: Web sites using ASP.NET 1.1 on the box
:
: But, for your situation, it might be of use. Hope this helps.
:
: --
:
: Scott Mitchell
: (e-mail address removed)
: http://www.4GuysFromRolla.com
: http://www.ASPFAQs.com
: http://www.ASPMessageboard.com
:
: * When you think ASP, think 4GuysFromRolla.com!

 

[Boris]

Hi Scott, Ken,
thanks for the replies.

i think modifying the machine.config is not possible since it may
affect other web app on the production box.

In fact same reason applies to Ken also. I can change the settings in
IIS to make it point to 1.0 again, but this will affect other Web app.

phew...What a change from 1.0 to 1.1!!!!

It is always good to fill in Security holes, but this i feel is a
over-restiction. At least for 1.0 web application, there must be a
better way to easily come thru this change...

Any other suggestions are most welcome.

Thanks again
Ben

 

[Ken Schaefer]

I believe that mappings can be set on a Web Application by Web Application
basis.

In IIS Manager, you will need to goto Web App Properties -> Directory -> App
Configuration Button -> Mappings tab. Map the ASP.NET extensions (e.g.
..aspx) to the appropriate aspnet_isapi.dll

So, even if you change one web app to use 1.0, the others can still use 1.1
(I think they can - maybe the can't, but you coudl try it).

Cheers
Ken


: Hi Scott, Ken,
: thanks for the replies.
:
: i think modifying the machine.config is not possible since it may
: affect other web app on the production box.
:
: In fact same reason applies to Ken also. I can change the settings in
: IIS to make it point to 1.0 again, but this will affect other Web app.
:
: phew...What a change from 1.0 to 1.1!!!!
:
: It is always good to fill in Security holes, but this i feel is a
: over-restiction. At least for 1.0 web application, there must be a
: better way to easily come thru this change...
:
: Any other suggestions are most welcome.
:
: Thanks again
: Ben
:
:
: > Alternatively, is there any way to get the server running v1.1 to go
back
: > to running v1.0 (I suppose, talk to your administrator) until the server
: > running v1.0 can be upgraded to v1.1?
: >
: > Cheers
: > Ken
: >
: > : > : > So to wrap my problem....Is there any way to include
: > : > "validateRequest=false" in web.config, but still allow 1.0 to
compile
: > : > correctly?
: > :
: > : Ben, I've not tries this, but I believe it will work (although it may
: > : not have the exact effect you're after). You could tweak the
: > : machine.config for 1.1 to include the validateRequest=false.
Therefore,
: > : you wouldn't have to fiddle with the Web.config.
: > :
: > : Of course the issue here is two-fold:
: > :
: > : (1) You must have access to the Web server's machine.config
: > : (2) You will be affecting the default validateRequest setting for ALL
: > : Web sites using ASP.NET 1.1 on the box
: > :
: > : But, for your situation, it might be of use. Hope this helps.
: > :
: > : --
: > :
: > : Scott Mitchell
: > : (e-mail address removed)
: > : http://www.4GuysFromRolla.com
: > : http://www.ASPFAQs.com
: > : http://www.ASPMessageboard.com
: > :
: > : * When you think ASP, think 4GuysFromRolla.com!

 

[Joe Kaplan \(MVP - ADSI\)]

I'd recommend installing both versions of the Framework on the server and
then using Denis Bauer's handy ASP.NET Version Switcher utility so that you
can set framework versions on a vroot by vroot basis easily.
http://www.denisbauer.com.

You can also do this via the command line, but Denis' utility is SO much
easier. We use it all the time to handle just these types of situations.

Joe K.