3

I'm having an issue with a generic http handler I have written for a site running on IIS6 using ASP.NET v2.0. The job of the handler is to accept a post from a third-party site, do some translating of the data, and then forward it along via a post to another site. This all works fine. The issue i'm having is that some of the POST's to my handler fail, with this message:

2013-11-03 00:22:39 Message: A potentially dangerous Request.Form value was 
detected from the client (data.xml="<?xml version='1.0'?...")

Every post that this third-party site does to my handler includes the data in two formats in the post. data.json contains the data in a json format, and data.xml contains the data in an xml format. I'm not sure why the site does it this way, you can't configure which formats they send, they just always send the data both ways.

As this is an ASP.NET v2 site, <httpRuntime requestValidationMode="2.0" /> isn't supported (and I wouldn't want to turn it off site-wide anyways, this is a large site). I've also attempted to turn off validation with this in my web.config:

<configuration>
  <deleted details />
  <location path="~/Handlers/PostTranslator.ashx">
    <system.web>
      <pages validateRequest="false" />
    </system.web>
  </location>
  <deleted details />
</configuration>

The above change didn't seem to make a difference.

Is there some obvious way to turn off Request.Form validation that i've missed? Or some limitation since this is a generic http handler?

The code that throws the error is simple:

public void ProcessRequest(HttpContext context) {
    var form = context.Request.Form;
}

The handler is registered in the web.config like this (if it matters):

<add verb="*" path="PostTranslator.ashx" 
      type="My.Web.UI.Site.Handlers.PostTranslator, My.Web.UI.Site" />

Here is the output when running aspnet_regiis -lk (running as 64bit):

W3SVC/9755868907/root    2.0.50727.0

Is there a way for me to turn off form validation for just this http handler?

Mike Corcoran
  • 14,072
  • 4
  • 37
  • 49
  • Here are a couple of answers: http://stackoverflow.com/questions/1332400/how-can-request-validation-be-disabled-for-httphandlers – Chris Schiffhauer Nov 05 '13 at 21:53
  • @ChrisSchiffhauer according to the msdn docs, the validate attribute mentioned in that answer only tells asp not to pre-load your handler, nothing else. you can verify that [here](http://msdn.microsoft.com/en-us/library/system.web.configuration.httphandleraction.validate.aspx). i've read most of the answers on stack overflow already, none really seemed to apply to me. – Mike Corcoran Nov 05 '13 at 21:57
  • It's puzzling. Your application pool is *definitely* set to 2.0? – Chris Schiffhauer Nov 05 '13 at 22:01
  • Should the incoming parameter read HttpContext context? – IrishChieftain Nov 05 '13 at 22:03
  • @IrishChieftain yeah, typo on my part - fixed. – Mike Corcoran Nov 05 '13 at 22:05
  • 1
    What version of IIS are you using? – IrishChieftain Nov 05 '13 at 22:16
  • @ChrisSchiffhauer yeah, added the mapping ASP had saved for the site when running aspnet_regiis -lk. – Mike Corcoran Nov 06 '13 at 16:20
  • Wild guess - check if the there's a correspondent entry in applicationhost.config or machine.config, and if they're set to overrideModeDefault="Allow". – OnoSendai Nov 06 '13 at 16:57
  • @OnoSendai looks like applicationhost.config is only applicable to IIS7+, I didn't see that property at all in the machine.config – Mike Corcoran Nov 06 '13 at 17:05
  • I see. Try this, then: – OnoSendai Nov 06 '13 at 17:18
  • Here's a post that is somewhat similar to yours, and mentions the Validate property. I can't test it right now to check if Joseph's comment is valid, tho: http://stackoverflow.com/questions/1332400/how-can-request-validation-be-disabled-for-httphandlers – OnoSendai Nov 06 '13 at 17:19

0 Answers0