Strange ValidateInputIfRequiredByConfig error

4

I'm getting random exception caused by ValidateInputIfRequiredByConfig().

I don't have exact message, since our server is pt-BR, so error message is translated.

I know that this error can be thrown if user puts malicious code in input, ie example. But it's not case here.

I'm getting this one, requesting some images. Below some info from elmah.

HTTP_USER_AGENT:    GbPlugin
PATH_INFO:          /Content/images/BannerWelcome.jpg?1110311762734
PATH_TRANSLATED:    C:\inetpub\wwwroot\Content\images\BannerWelcome.jpg?1110311762734
REQUEST_METHOD:     GET
SCRIPT_NAME:        /Content/images/BannerWelcome.jpg?1110311762734

Application is ASP.NET MVC 3, running on Windows 2008, IIS 7.5

EDIT:

Exception message in pt-BR:

System.Web.HttpException
Um valor possivelmente perigoso Request.Path foi detectado no cliente (?).

System.Web.HttpException (0x80004005): Um valor possivelmente perigoso Request.Path foi detectado no cliente (?).
   em System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   em System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

EDIT:

Exception message in English: "A potentially dangerous value was detected from the client Request.Path"

EDIT 2:

I can't reproduce this error. As I know it is just in request to this image.

asp.net
asp.net-mvc
asp.net-mvc-3
asked on Stack Overflow Nov 14, 2011 by Zote • edited Nov 17, 2011 by Zote

2 Answers

4
<pages validateRequest="false" />

does not work in MVC3.

1) You have to explicitly put [ValidateRequest(false)] on each controller or action

2) If you use .NET4 this is not sufficient as there is a "bug/feature" in .NET4 which prevent [ValidateInput(false)] to work. You have to also disable requestPathInvalidCharacters,validateRequest and requestFiltering by using requestValidationMode of 2.0 :

<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
answered on Stack Overflow Nov 17, 2011 by Softlion
2

I made three changes to solve this issue:

1)

<system.web>
    <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
     </system.web>

2)

<system.webServer>      
    <security>  <requestFiltering allowDoubleEscaping="true" /> </security>
    </system.webServer>

3) <pages validateRequest="false" />

answered on Stack Overflow Feb 25, 2014 by charles

User contributions licensed under CC BY-SA 3.0