protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1; //Set a default value for the out parameter.
//This application does not use RawUrl directly so you can ignore the check.
if (requestValidationSource == RequestValidationSource.RawUrl)
{
return(true);
}
//Bỏ chặn các trường Option theo danh mục của Rao Vặt & Sản Phẩm
if ((requestValidationSource == RequestValidationSource.QueryString) &&
(collectionKey.StartsWith("__option_")))
{
return(true);
}
//Còn lại check như bình thường
else
{
return(base.IsValidRequestString(context, value, requestValidationSource,
collectionKey, out validationFailureIndex));
}
}
protected override bool IsValidRequestString(
HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form &&
collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
//创建登录消息
//SignInResponseMessage message = WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage;
//只要是WSFed的消息都算合法验证
WSFederationMessage message = WSFederationMessage.CreateFromFormPost(context.Request);
if (message != null)
{
return(true);
}
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form &&
collectionKey.Equals(
WSFederationConstants.Parameters.Result,
StringComparison.Ordinal))
{
var message =WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage;
if (message != null)
{
return true;
}
}
return base.IsValidRequestString(
context,
value,
requestValidationSource,
collectionKey,
out validationFailureIndex);
}
protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1; //Set a default value for the out parameter.
//Allow the query-string key data to have a value that is formatted like XML.
if ((requestValidationSource == RequestValidationSource.Form) &&
(collectionKey == "data"))
{
//The querystring value wrapped in {} is automatically allowed as a JSON request for the data key.
if (value.StartsWith("{") && value.EndsWith("}"))
{
validationFailureIndex = -1;
return true;
}
else
//Leave any further checks to ASP.NET.
return base.IsValidRequestString(context, value,
requestValidationSource,
collectionKey, out validationFailureIndex);
}
//All other HTTP input checks are left to the base ASP.NET implementation.
else
{
return base.IsValidRequestString(context, value, requestValidationSource,
collectionKey, out validationFailureIndex);
}
}
protected override bool IsValidRequestString(
HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1;
var isAlphaNumerical = true;
for (var i = 0; i < value.Length; i++)
{
// Skip harmless values belongs to [a-zA-Z0-9_]
if ((value[i] >= 'a' && value[i] <= 'z') || (value[i] >= 'A' && value[i] <= 'Z') ||
(value[i] >= '0' && value[i] <= '9') || (value[i] == '_')) continue;
isAlphaNumerical = false;
break;
}
if (!isAlphaNumerical)
{
// Add value to Irv.Engine.TaintfulParams request cache for further response validation
if (!context.Items.Contains("Irv.Engine.TaintfulParams"))
context.Items["Irv.Engine.TaintfulParams"] = new List<RequestValidationParam>();
((List<RequestValidationParam>)context.Items["Irv.Engine.TaintfulParams"]).Add(
new RequestValidationParam(requestValidationSource.ToString(), collectionKey, value));
}
return true;
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
XNamespace aw = "http://schemas.xmlsoap.org/ws/2005/02/trust";
using (var xtr = new XmlTextReader(value, XmlNodeType.Element, null))
{
var root = XElement.Load(xtr);
var requestedToken = root.Elements(aw + "RequestedSecurityToken");
if (!requestedToken.Any())
return false;
var encodedDataAsBytes = Convert.FromBase64String(requestedToken.First().Value);
var acsToken = Encoding.UTF8.GetString(encodedDataAsBytes, 0, encodedDataAsBytes.Length);
// We're assuming any other errors from the token parse will fire up as
// exceptions
return new SimpleWebToken(acsToken) != null;
}
}
return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
if (requestValidationSource == RequestValidationSource.Form)
{
int errorIndex = value.IndexOf("<script>");
if (errorIndex != -1)
{
validationFailureIndex = errorIndex;
return(false);
}
else
{
validationFailureIndex = 0;
return(true);
}
}
else
{
return(base.IsValidRequestString(context, value,
requestValidationSource, collectionKey, out validationFailureIndex));
}
}
protected internal virtual bool IsValidRequestString (HttpContext context, string value, RequestValidationSource requestValidationSource,
string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
return !HttpRequest.IsInvalidString (value, out validationFailureIndex);
}
protected internal virtual bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex) {
if (requestValidationSource == RequestValidationSource.Headers) {
validationFailureIndex = 0;
return true; // Ignore Headers collection in the default implementation
}
return !CrossSiteScriptingValidation.IsDangerousString(value, out validationFailureIndex);
}
/// <summary>
/// Validates a string that contains HTTP request data.
/// </summary>
/// <returns>
/// true if the string to be validated is valid; otherwise, false.
/// </returns>
/// <param name="context">The context of the current request.</param>
/// <param name="value">The HTTP request data to validate.</param>
/// <param name="requestValidationSource">
/// An enumeration that represents the source of request data that is being validated. The following are possible values
/// for the enumeration:QueryStringForm CookiesFilesRawUrlPathPathInfoHeaders
/// </param>
/// <param name="collectionKey">
/// The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the
/// data to validate is obtained from a collection. If the data to validate is not from a collection,
/// <paramref name="collectionKey"/> can be null.
/// </param>
/// <param name="validationFailureIndex">
/// When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request
/// collection. This parameter is passed uninitialized.
/// </param>
protected override bool IsValidRequestString(HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if ((context.Items[UnvalidatedHandlerKey] as string) == Boolean.TrueString)
{
validationFailureIndex = 0;
return true;
}
string serviceProxyRelativeUrl = Rest.Configuration.Options.ServiceProxyRelativeUrl;
if (!String.IsNullOrEmpty(serviceProxyRelativeUrl) &&
String.Equals(context.Request.AppRelativeCurrentExecutionFilePath,
String.Format(CultureInfo.InvariantCulture, "~/{0}/proxy", serviceProxyRelativeUrl),
StringComparison.OrdinalIgnoreCase))
{
validationFailureIndex = 0;
return true;
}
return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1; //Set a default value for the out parameter.
//Allow the query-string key data to have a value that is formatted like XML.
if ((requestValidationSource == RequestValidationSource.Form) &&
(collectionKey == "data"))
{
//The querystring value wrapped in {} is automatically allowed as a JSON request for the data key.
if (value.StartsWith("{") && value.EndsWith("}"))
{
validationFailureIndex = -1;
return(true);
}
else
{
//Leave any further checks to ASP.NET.
return(base.IsValidRequestString(context, value,
requestValidationSource,
collectionKey, out validationFailureIndex));
}
}
//All other HTTP input checks are left to the base ASP.NET implementation.
else
{
return(base.IsValidRequestString(context, value, requestValidationSource,
collectionKey, out validationFailureIndex));
}
}
/// <summary>
/// Validates a string that contains HTTP request data.
/// </summary>
/// <param name="context">The context of the current request.</param>
/// <param name="value">The HTTP request data to validate.</param>
/// <param name="requestValidationSource">An enumeration that represents the source of request data that is being validated. The following are possible values for the enumeration:QueryStringForm CookiesFilesRawUrlPathPathInfoHeaders</param>
/// <param name="collectionKey">The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the data to validate is obtained from a collection. If the data to validate is not from a collection, <paramref name="collectionKey" /> can be null.</param>
/// <param name="validationFailureIndex">When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request collection. This parameter is passed uninitialized.</param>
/// <returns>
/// true if the string to be validated is valid; otherwise, false.
/// </returns>
protected override bool IsValidRequestString( HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex )
{
bool valid = base.IsValidRequestString( context, value, requestValidationSource, collectionKey, out validationFailureIndex );
if ( !valid && requestValidationSource == RequestValidationSource.Form )
{
if ( context != null )
{
if ( context.Request != null && context.Request.Path.EndsWith(".ashx", System.StringComparison.OrdinalIgnoreCase))
{
// If this is a webhook, allow it
validationFailureIndex = -1;
return true;
}
if ( context.Request.Form[collectionKey + "_dvrm"] != null &&
context.Request.Form[collectionKey + "_dvrm"].AsBoolean( true ) )
{
// If a "_vrm" form value with same id exists and is set to false, allow the invalid data.
validationFailureIndex = -1;
return true;
}
}
}
return valid;
}
protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1; //Set a default value for the out parameter.
//Allow the query-string key data to have a value that is formatted like XML.
if ((requestValidationSource == RequestValidationSource.Form)) {
//The querystring value "<example>1234</example>" is allowed.
if (value.ToString().StartsWith("<")) {
validationFailureIndex = -1;
return true;
}
else
//Leave any further checks to ASP.NET.
return base.IsValidRequestString(context, value,
requestValidationSource,
collectionKey, out validationFailureIndex);
}
//All other HTTP input checks are left to the base ASP.NET implementation.
else {
return base.IsValidRequestString(context, value, requestValidationSource,
collectionKey, out validationFailureIndex);
}
}
// value: contains the string that needs to be checked
// RequestValidationSource: can be used to determine the kind of HTTP data that has been passed to be validated
// collectionKey parameter: identifies the name of the key in the request collection that is being validated
// validationFailureIndex: should only have a non-negative value when the string passed through value has forbidden chars and it should indicate the position of the string where that invalid char is used
protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1; //Set a default value for the out parameter.
// 1. Allow the form data to have a value that is formatted.
// 2. Allow the query-string to have a value that is formatted.
if ((requestValidationSource == RequestValidationSource.Form) ||
(requestValidationSource == RequestValidationSource.QueryString))
{
// format the value
value = Strings.FormatUserInput(value);
//Leave any further checks to ASP.NET.
return base.IsValidRequestString(context, value,
requestValidationSource,
collectionKey, out validationFailureIndex);
}
//All other HTTP input checks are left to the base ASP.NET implementation.
else
{
return base.IsValidRequestString(context, value, requestValidationSource,
collectionKey, out validationFailureIndex);
}
}
public LazyWebROCollection (RequestValidationSource validationSource, WebROCollection wrapped)
{
if (wrapped == null)
throw new ArgumentNullException ("wrapped");
this.validationSource = validationSource;
this.wrapped = wrapped;
}
public LazyWebROCollection(RequestValidationSource validationSource, WebROCollection wrapped)
{
if (wrapped == null)
{
throw new ArgumentNullException("wrapped");
}
this.validationSource = validationSource;
this.wrapped = wrapped;
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
// if the user has selected some funky characters for their password, we don't want to keep them from logging in.
if (requestValidationSource == RequestValidationSource.Form && collectionKey == "password")
{
validationFailureIndex = 0;
return true;
}
return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(TokenXmlInputName, StringComparison.Ordinal))
{
return(true);
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
/// <summary>
/// Validates a string that contains HTTP request data.
/// </summary>
/// <param name="context">The context of the current request.</param>
/// <param name="value">The HTTP request data to validate.</param>
/// <param name="requestValidationSource">An enumeration that represents the source of request data that is being validated. The following are possible values for the enumeration:QueryStringForm CookiesFilesRawUrlPathPathInfoHeaders</param>
/// <param name="collectionKey">The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the data to validate is obtained from a collection. If the data to validate is not from a collection, <paramref name="collectionKey" /> can be null.</param>
/// <param name="validationFailureIndex">When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request collection. This parameter is passed uninitialized.</param>
/// <returns>
/// true if the string to be validated is valid; otherwise, false.
/// </returns>
protected override bool IsValidRequestString( HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex )
{
if ( requestValidationSource == RequestValidationSource.Form )
{
// TODO: For now do not validate form values. Eventually should provide way for just specific controls to be ignored
validationFailureIndex = -1;
return true;
}
else
{
return base.IsValidRequestString( context, value, requestValidationSource, collectionKey, out validationFailureIndex );
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
//var idx = value.ToLower().IndexOf("<script");
//if (idx > -1)
//{
// validationFailureIndex = idx;
// return false;
//}
//else
//{
// validationFailureIndex = 0;
// return true;
//}
validationFailureIndex = 0;
return(true);
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form && !String.IsNullOrEmpty(collectionKey) && collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
var unvalidatedFormValues = System.Web.Helpers.Validation.Unvalidated(context.Request).Form;
var message = WSFederationMessage.CreateFromNameValueCollection(WSFederationMessage.GetBaseUrl(context.Request.Url), unvalidatedFormValues) as SignInResponseMessage;
if (message != null)
{
return true;
}
}
return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
protected override bool IsValidRequestString (HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
lock (call) {
var dict = new Dictionary<string, object> ();
dict ["calledFrom"] = Environment.StackTrace;
dict ["rawUrl"] = HttpContext.Current.Request.RawUrl;
dict ["context"] = context != null;
dict ["value"] = value;
dict ["requestValidationSource"] = (int)requestValidationSource;
dict ["collectionKey"] = collectionKey;
bool ret = base.IsValidRequestString (context, value, requestValidationSource, collectionKey, out validationFailureIndex);
dict ["returnValue"] = ret;
dict ["validationFailureIndex"] = validationFailureIndex;
Calls.Add (dict);
return ret;
}
}
protected override bool IsValidRequestString(
HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1;
bool isValid = base.IsValidRequestString(
context,
value,
requestValidationSource,
collectionKey,
out validationFailureIndex);
if (ConfigurationManager.XssProtectionEnabled && !xssPattern.IsMatch(value))
{
isValid = true;
}
return(isValid);
}
protected override bool IsValidRequestString(
HttpContext context, string value,
RequestValidationSource requestValidationSource, string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1; //Set a default value for the out parameter.
//This application does not use RawUrl directly so you can ignore the check.
if (requestValidationSource == RequestValidationSource.RawUrl)
{
return(true);
}
//Allow the query-string key data to have a value that is formatted like XML.
if ((requestValidationSource == RequestValidationSource.QueryString) &&
(collectionKey == "data"))
{
//The querystring value "<example>1234</example>" is allowed.
if (value == "<example>1234</example>")
{
validationFailureIndex = -1;
return(true);
}
else
{
//Leave any further checks to ASP.NET.
return(base.IsValidRequestString(context, value,
requestValidationSource,
collectionKey, out validationFailureIndex));
}
}
//All other HTTP input checks are left to the base ASP.NET implementation.
else
{
return(base.IsValidRequestString(context, value, requestValidationSource,
collectionKey, out validationFailureIndex));
}
}
/// <summary>
/// Validates a string that contains HTTP request data.
/// </summary>
/// <param name="context">The context of the current request.</param>
/// <param name="value">The HTTP request data to validate.</param>
/// <param name="requestValidationSource">An enumeration that represents the source of request data that is being validated. The following are possible values for the enumeration:QueryStringForm CookiesFilesRawUrlPathPathInfoHeaders</param>
/// <param name="collectionKey">The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the data to validate is obtained from a collection. If the data to validate is not from a collection, <paramref name="collectionKey"/> can be null.</param>
/// <param name="validationFailureIndex">When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request collection. This parameter is passed uninitialized.</param>
/// <returns>
/// true if the string to be validated is valid; otherwise, false.
/// </returns>
protected override bool IsValidRequestString(
HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
// Set a default value for the out parameter.
validationFailureIndex = -1;
// Allow the query-string key data to have a value that is formatted like XML.
if ((requestValidationSource == RequestValidationSource.Form) && (collectionKey == "xml"))
{
return(true);
}
return(base.IsValidRequestString(
context,
value,
requestValidationSource,
collectionKey,
out validationFailureIndex));
}
protected override bool IsValidRequestString(
HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = -1;
var isAlphaNumerical = true;
for (var i = 0; i < value.Length; i++)
{
// Skip harmless values belongs to [a-zA-Z0-9_]
if ((value[i] >= 'a' && value[i] <= 'z') || (value[i] >= 'A' && value[i] <= 'Z') ||
(value[i] >= '0' && value[i] <= '9') || (value[i] == '_'))
{
continue;
}
isAlphaNumerical = false;
break;
}
if (!isAlphaNumerical)
{
// Add value to Irv.Engine.TaintfulParams request cache for further response validation
if (!context.Items.Contains("Irv.Engine.TaintfulParams"))
{
context.Items["Irv.Engine.TaintfulParams"] = new List <RequestValidationParam>();
}
((List <RequestValidationParam>)context.Items["Irv.Engine.TaintfulParams"]).Add(
new RequestValidationParam(requestValidationSource.ToString(), collectionKey, value));
}
return(true);
}
protected internal virtual bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource,
string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
return(!HttpRequest.IsInvalidString(value, out validationFailureIndex));
}
/// <summary>
/// Validates a string that contains HTTP request data.
/// </summary>
/// <param name="context">The context of the current request.</param>
/// <param name="value">The HTTP request data to validate.</param>
/// <param name="requestValidationSource">An enumeration that represents the source of request data that is being validated. The following are possible values for the enumeration:QueryStringForm CookiesFilesRawUrlPathPathInfoHeaders</param>
/// <param name="collectionKey">The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the data to validate is obtained from a collection. If the data to validate is not from a collection, <paramref name="collectionKey" /> can be null.</param>
/// <param name="validationFailureIndex">When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request collection. This parameter is passed uninitialized.</param>
/// <returns>
/// true if the string to be validated is valid; otherwise, false.
/// </returns>
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
bool valid = base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
if (!valid && requestValidationSource == RequestValidationSource.Form)
{
if (context != null)
{
if (context.Request != null && context.Request.Path.EndsWith(".ashx", System.StringComparison.OrdinalIgnoreCase))
{
// If this is a webhook, allow it
validationFailureIndex = -1;
return(true);
}
if (context.Request.Form[collectionKey + "_dvrm"] != null &&
context.Request.Form[collectionKey + "_dvrm"].AsBoolean(true))
{
// If a "_vrm" form value with same id exists and is set to false, allow the invalid data.
validationFailureIndex = -1;
return(true);
}
}
}
return(valid);
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
lock (call) {
var dict = new Dictionary <string, object> ();
dict ["calledFrom"] = Environment.StackTrace;
dict ["rawUrl"] = HttpContext.Current.Request.RawUrl;
dict ["context"] = context != null;
dict ["value"] = value;
dict ["requestValidationSource"] = (int)requestValidationSource;
dict ["collectionKey"] = collectionKey;
bool ret = base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
dict ["returnValue"] = ret;
dict ["validationFailureIndex"] = validationFailureIndex;
Calls.Add(dict);
return(ret);
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
// TODO Review stack overflow
////if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
////{
//// SignInResponseMessage message = WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage;
//// if (message != null)
//// {
//// return true;
//// }
////}
////return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
return(true);
}
/// <summary>
/// Validates a string that contains HTTP request data.
/// </summary>
/// <param name="context">The context of the current request.</param>
/// <param name="value">The HTTP request data to validate.</param>
/// <param name="requestValidationSource">An enumeration that represents the source of request data that is being validated. The following are possible values for the enumeration:QueryStringForm CookiesFilesRawUrlPathPathInfoHeaders</param>
/// <param name="collectionKey">The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the data to validate is obtained from a collection. If the data to validate is not from a collection, <paramref name="collectionKey" /> can be null.</param>
/// <param name="validationFailureIndex">When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request collection. This parameter is passed uninitialized.</param>
/// <returns>
/// true if the string to be validated is valid; otherwise, false.
/// </returns>
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form && !String.IsNullOrEmpty(collectionKey) && collectionKey.Equals("wresult", StringComparison.Ordinal))
{
if (context.Request.CurrentExecutionFilePath.Equals("/AcsRedirect", StringComparison.OrdinalIgnoreCase))
{
return(true);
}
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
//block script tags
var idx = value.ToLower().IndexOf("<script");
if (idx > -1)
{
validationFailureIndex = idx;
context.Response.Redirect("~/Home/InputError");
return(false);
}
else
{
validationFailureIndex = 0;
return(true);
}
}
static void ValidateNameValueCollection (string name, NameValueCollection coll, RequestValidationSource source)
{
if (coll == null)
return;
RequestValidator validator = RequestValidator.Current;
int validationFailureIndex;
HttpContext context = HttpContext.Current;
foreach (string key in coll.Keys) {
string val = coll [key];
if (val != null && val.Length > 0 && !validator.IsValidRequestString (context, val, source, key, out validationFailureIndex))
ThrowValidationException (name, key, val);
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
HttpContextWrapper contextWrapper = new HttpContextWrapper(HttpContext.Current);
if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals("wresult", StringComparison.Ordinal))
{
SignInResponseMessage message = WSFederationMessage.CreateFromFormPost(contextWrapper.Request) as SignInResponseMessage;
if (message != null)
{
return(true);
}
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = -1;
return true;
}
protected override bool IsValidRequestString(System.Web.HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
bool outVal = false;
validationFailureIndex = -1; //Set a default value for the out parameter.
if (requestValidationSource == RequestValidationSource.QueryString)
{
outVal = true;
}
else if (requestValidationSource == RequestValidationSource.Form)
{
outVal = true;
}
else
{
outVal = base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
return(outVal);
}
private static void ReplaceCollection(HttpContext context, FieldAccessor<NameValueCollection> fieldAccessor, Func<NameValueCollection> propertyAccessor, Action<NameValueCollection> storeInUnvalidatedCollection, RequestValidationSource validationSource, ValidationSourceFlag validationSourceFlag)
{
NameValueCollection originalBackingCollection;
ValidateStringCallback validateString;
SimpleValidateStringCallback simpleValidateString;
Func<NameValueCollection> getActualCollection;
Action<NameValueCollection> makeCollectionLazy;
HttpRequest request = context.Request;
Func<bool> getValidationFlag = () => _reflectionUtil.GetRequestValidationFlag(request, validationSourceFlag);
Func<bool> func = () => !getValidationFlag();
Action<bool> setValidationFlag = delegate (bool value) {
_reflectionUtil.SetRequestValidationFlag(request, validationSourceFlag, value);
};
if ((fieldAccessor.Value != null) && func())
{
storeInUnvalidatedCollection(fieldAccessor.Value);
}
else
{
originalBackingCollection = fieldAccessor.Value;
validateString = _reflectionUtil.MakeValidateStringCallback(context.Request);
simpleValidateString = delegate (string value, string key) {
if (((key == null) || !key.StartsWith("__", StringComparison.Ordinal)) && !string.IsNullOrEmpty(value))
{
validateString(value, key, validationSource);
}
};
getActualCollection = delegate {
fieldAccessor.Value = originalBackingCollection;
bool flag = getValidationFlag();
setValidationFlag(false);
NameValueCollection col = propertyAccessor();
setValidationFlag(flag);
storeInUnvalidatedCollection(new NameValueCollection(col));
return col;
};
makeCollectionLazy = delegate (NameValueCollection col) {
simpleValidateString(col[null], null);
LazilyValidatingArrayList array = new LazilyValidatingArrayList(_reflectionUtil.GetNameObjectCollectionEntriesArray(col), simpleValidateString);
_reflectionUtil.SetNameObjectCollectionEntriesArray(col, array);
LazilyValidatingHashtable table = new LazilyValidatingHashtable(_reflectionUtil.GetNameObjectCollectionEntriesTable(col), simpleValidateString);
_reflectionUtil.SetNameObjectCollectionEntriesTable(col, table);
};
Func<bool> hasValidationFired = func;
Action disableValidation = delegate {
setValidationFlag(false);
};
Func<int> fillInActualFormContents = delegate {
NameValueCollection values = getActualCollection();
makeCollectionLazy(values);
return values.Count;
};
DeferredCountArrayList list = new DeferredCountArrayList(hasValidationFired, disableValidation, fillInActualFormContents);
NameValueCollection target = _reflectionUtil.NewHttpValueCollection();
_reflectionUtil.SetNameObjectCollectionEntriesArray(target, list);
fieldAccessor.Value = target;
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
if (requestValidationSource == RequestValidationSource.Form && collectionKey.EndsWith("Html", StringComparison.OrdinalIgnoreCase))
{
// For form fields ending with "Html" skip the validation
validationFailureIndex = 0;
return(true);
}
else
{
// For all others, perform standard validation
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
/// <summary>
/// Cette méthode permet de passer outre l'alerte de sécurité pour les valeurs pouvant être potentiellement dangeureuses
/// Validates a string that contains HTTP request data.
/// </summary>
/// <param name="context">The context of the current request.</param>
/// <param name="value">The HTTP request data to validate.</param>
/// <param name="requestValidationSource">An enumeration that represents the source of request data that is being validated. The following are possible values for the enumeration:QueryStringForm CookiesFilesRawUrlPathPathInfoHeaders</param>
/// <param name="collectionKey">The key in the request collection of the item to validate. This parameter is optional. This parameter is used if the data to validate is obtained from a collection. If the data to validate is not from a collection, <paramref name="collectionKey"/> can be null.</param>
/// <param name="validationFailureIndex">When this method returns, indicates the zero-based starting point of the problematic or invalid text in the request collection. This parameter is passed uninitialized.</param>
/// <returns>
/// true if the string to be validated is valid; otherwise, false.
/// </returns>
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
// Set a default value for the out parameter.
validationFailureIndex = -1;
return(true);
// // All other HTTP input checks are left to the base ASP.NET implementation.
// return base.IsValidRequestString(
// context,
// value,
// requestValidationSource,
// collectionKey,
// out validationFailureIndex);
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = -1;
if (requestValidationSource == RequestValidationSource.Form || requestValidationSource == RequestValidationSource.QueryString)
{
string path = AppDomain.CurrentDomain.BaseDirectory.ToString() + "VisitLog\\" + Common.NowDate.ToString("yyyyMMdd");
System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(path);
if (!di.Exists)
{
di.Create();
}
string logfile = context.Request.UserHostAddress + ".log";
try
{
FileInfo fi = new FileInfo(Path.Combine(path, logfile));
if (fi.Exists && fi.Length > 4194304)
{
return(false);
}
File.AppendAllText(Path.Combine(path, logfile), Common.NowDate.ToString("yyyy-MM-dd HH:mm:ss: ") + string.Format("key:{0},value:{1},url:{2}", collectionKey, value, context.Request.Url) + "\r\n", Encoding.UTF8);
}
catch (Exception) { }
}
if ((requestValidationSource == RequestValidationSource.Form || requestValidationSource == RequestValidationSource.QueryString) &&
(Regex.IsMatch(value, @"'+|case[ \t\n\r]+|convert[ \t\n\r]+|union[ \t\n\r]+|where[ \t\n\r]+|when[ \t\n\r]+|and[ \t\n\r]+|select[ \t\n\r]+|insert[ \t\n\r]+|delete[ \t\n\r]+|from[ \t\n\r]+|cast[ \t\n\r]*\(|count[ \t\n\r]*\(|drop[ \t\n\r]+|update[ \t\n\r]+|truncate[ \t\n\r]+|asc[ \t\n\r]*\(|mid[ \t\n\r]*\(|char[ \t\n\r]*\(|chr[ \t\n\r]*\(|xp_cmdshell|exec[ \t\n\r]+|[ \t\n\r]+master|netlocalgroup[ \t\n\r]+|administrator|net[ \t\n\r]+user|<script[\s\S]+</script *>", RegexOptions.IgnoreCase)))
{
string path2 = AppDomain.CurrentDomain.BaseDirectory.ToString() + "Exception";
string str2 = Common.NowDate.ToString("yyyyMMddHH") + ".log";
try
{
File.AppendAllText(Path.Combine(path2, str2), Common.NowDate.ToString("yyyy-MM-dd HH:mm:ss: ") + string.Format("ip:{2},key:{0},value:{1},url:{3}", collectionKey, value, context.Request.UserHostAddress, context.Request.Url) + "\r\n", Encoding.UTF8);
}
catch (Exception) { }
return(false);
}
string allowUrl = ConfigurationManager.AppSettings["AllowHtmlUrl"];
if (!string.IsNullOrEmpty(allowUrl))
{
string[] allowUrls = allowUrl.Split(',');
if (requestValidationSource == RequestValidationSource.Form) //对查询字符串进行验证
{
if (IsAllow(allowUrls, HttpContext.Current.Request.RawUrl)) //检查是否包含<,当然也可以检查其他特殊符号,或者忽略某些特殊符号.
{
return(true);
}
}
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
protected internal virtual new bool IsValidRequestString(System.Web.HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = default(int);
return default(bool);
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
var data = new StreamReader(HttpContext.Current.Request.InputStream).ReadToEnd();
data = "{\"PageNo\":1,\"PageSize\":50,\"script\":\"<script>alert('hi')</script>\"}";
string json = @"
{
""routes"": [
{
""bounds"": {
""northeast"": {
""lat"": 50.4639653,
""lng"": 30.6325177
},
""southwest"": {
""lat"": 50.4599625,
""lng"": 30.6272425
}
},
""legs"": [
{
""distance"": {
""text"": ""1.7 km"",
""message"": ""<script>alert('Hi gentleman')</script>"",
""value"": 1729
},
""duration"": {
""text"": ""4 mins"",
""message"": ""<script>alert('Hi gentleman')</script>"",
""value"": 223
}
},
{
""distance"": {
""text"": ""2.3 km"",
""message"": ""<script>alert('Hi gentleman')</script>"",
""value"": 2301
},
""duration"": {
""text"": ""5 mins"",
""message"": ""<script>alert('Hi gentleman')</script>"",
""value"": 305
}
}
]
}
],
""TestObject"":""viniston""
}";
if (data != null && data != "")
{
JObject jo = JObject.Parse(data);
foreach (var token in jo)
{
if (jo[token.Key].Type == JTokenType.Object)
{
formatobj(token.Value as JObject);
}
else if (jo[token.Key].Type == JTokenType.Array)
{
foreach (var child in token.Value.Children())
{
//do something with the JSON array items
formatobj(child as JObject);
}
}
else if (jo[token.Key].Type == JTokenType.String)
{
jo[token.Key] = HttpUtility.HtmlEncode(token.Value);
}
else
{
//do something with a JSON value
}
}
Console.WriteLine(jo);
}
return base.IsValidRequestString(context, value.Normalize(NormalizationForm.FormKC), requestValidationSource, collectionKey, out validationFailureIndex);
}
internal static void ValidateString (string key, string value, RequestValidationSource source)
{
if (String.IsNullOrEmpty (value))
return;
#pragma warning disable 219
int ignore;
#pragma warning restore 219
if (IsInvalidString (value, out ignore))
ThrowValidationException (source.ToString (), key, value);
}
private void ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
{
int count = nvc.Count;
for (int i = 0; i < count; i++)
{
string key = nvc.GetKey(i);
if ((key == null) || !key.StartsWith("__", StringComparison.Ordinal))
{
string str2 = nvc.Get(i);
if (!string.IsNullOrEmpty(str2))
{
this.ValidateString(str2, key, requestCollection);
}
}
}
}
// See http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form-value-was-detected-from-the-client-wresult-t-requestsecurityto/history.aspx
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form && !String.IsNullOrEmpty(collectionKey) && collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
var unvalidatedFormValues = GetUnvalidatedFormValues(context);
SignInResponseMessage message = WSFederationMessage.CreateFromNameValueCollection(WSFederationMessage.GetBaseUrl(context.Request.Url), unvalidatedFormValues) as SignInResponseMessage;
if (message != null)
{
return(true);
}
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
private void ValidateString(string value, string collectionKey, RequestValidationSource requestCollection)
{
int num;
value = RemoveNullCharacters(value);
if (!RequestValidator.Current.IsValidRequestString(this.Context, value, requestCollection, collectionKey, out num))
{
string str = collectionKey + "=\"";
int startIndex = num - 10;
if (startIndex <= 0)
{
startIndex = 0;
}
else
{
str = str + "...";
}
int length = num + 20;
if (length >= value.Length)
{
length = value.Length;
str = str + value.Substring(startIndex, length - startIndex) + "\"";
}
else
{
str = str + value.Substring(startIndex, length - startIndex) + "...\"";
}
string requestValidationSourceName = GetRequestValidationSourceName(requestCollection);
throw new HttpRequestValidationException(System.Web.SR.GetString("Dangerous_input_detected", new object[] { requestValidationSourceName, str }));
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = -1;
if (((requestValidationSource == RequestValidationSource.QueryString) || (requestValidationSource == RequestValidationSource.Form)) && (!string.IsNullOrEmpty(collectionKey) && collectionKey.Contains("crv_")))
{
return(true);
}
else
{
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = -1;
return(true);
}
private static string GetRequestValidationSourceName(RequestValidationSource requestCollection) {
switch (requestCollection) {
case RequestValidationSource.Cookies: return "Request.Cookies";
case RequestValidationSource.Files: return "Request.Files";
case RequestValidationSource.Form: return "Request.Form";
case RequestValidationSource.Headers: return "Request.Headers";
case RequestValidationSource.Path: return "Request.Path";
case RequestValidationSource.PathInfo: return "Request.PathInfo";
case RequestValidationSource.QueryString: return "Request.QueryString";
case RequestValidationSource.RawUrl: return "Request.RawUrl";
default:
return "Request." + requestCollection.ToString();
}
}
public bool InvokeIsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
return(IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
private void ValidateString(string value, string collectionKey, RequestValidationSource requestCollection) {
value = RemoveNullCharacters(value);
// Only provide the HttpContext if this is an actual HttpRequest; pass null
// if this is simply a shell that exists for WebSockets.
HttpContext contextToProvide = (HasTransitionedToWebSocketRequest) ? null : Context;
int validationFailureIndex;
if (!RequestValidator.Current.IsValidRequestString(contextToProvide, value, requestCollection, collectionKey, out validationFailureIndex)) {
// Display only the piece of the string that caused the problem, padded by on each side
string detectedString = collectionKey + "=\"";
int startIndex = validationFailureIndex - 10;
if (startIndex <= 0) {
startIndex = 0;
}
else {
// Start with "..." to show that this is not the beginning
detectedString += "...";
}
int endIndex = validationFailureIndex + 20;
if (endIndex >= value.Length) {
endIndex = value.Length;
detectedString += value.Substring(startIndex, endIndex - startIndex) + "\"";
}
else {
detectedString += value.Substring(startIndex, endIndex - startIndex) + "...\"";
}
string collectionName = GetRequestValidationSourceName(requestCollection);
throw new HttpRequestValidationException(SR.GetString(SR.Dangerous_input_detected,
collectionName, detectedString));
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
private void ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection) {
if (GranularValidationEnabled) {
// Granular request validation is enabled - validate collection entries only as they're accessed.
collection.EnableGranularValidation((key, value) => ValidateString(value, key, requestCollection));
}
else {
// Granular request validation is disabled - eagerly validate all collection entries.
int c = collection.Count;
for (int i = 0; i < c; i++) {
String key = collection.GetKey(i);
// Certain fields shouldn't go through validation - see comments in KeyIsCandidateForValidation for more information.
if (!HttpValueCollection.KeyIsCandidateForValidation(key)) {
continue;
}
String val = collection.Get(i);
if (!String.IsNullOrEmpty(val))
ValidateString(val, key, requestCollection);
}
}
}
public bool InvokeIsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex) {
return IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
protected internal virtual bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
if (requestValidationSource == RequestValidationSource.Headers)
{
validationFailureIndex = 0;
return(true); // Ignore Headers collection in the default implementation
}
return(!CrossSiteScriptingValidation.IsDangerousString(value, out validationFailureIndex));
}
protected internal virtual new bool IsValidRequestString(System.Web.HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = default(int);
return(default(bool));
}
