Casaba Security » HTTP http://www.casaba.com/blog Building and breaking software and robots Wed, 11 Jan 2012 18:08:45 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 useUnsafeHeaderParsing = what? http://www.casaba.com/blog/2008/06/useunsafeheaderparsing-what/ http://www.casaba.com/blog/2008/06/useunsafeheaderparsing-what/#comments Thu, 05 Jun 2008 22:02:31 +0000 Chris Weber As software security people we usually like input restrictions to be tight. With .Net's HttpWebRequestElement.UseUnsafeHeaderParsing Property you can loosen up the way HTTP requests get parsed.

Setting this property ignores validation errors that occur during HTTP parsing. The documentation from MSDN makes it pretty clear. When this property is set to 'true' then many HTTP RFC violations will be relaxed and ignored.

When this property is set to false, the following validations are performed during HTTP parsing:

* In end-of-line code, use CRLF; using CR or LF alone is not allowed.
* Headers names should not have spaces in them.
* If multiple status lines exist, all additional status lines are treated as malformed header name/value pairs.
* The status line must have a status description, in addition to a status code.
* Header names cannot have non-ASCII chars in them. This validation is performed whether this property is set to true or false.

When a protocol violation occurs, a WebException exception is thrown with the status set to ServerProtocolViolation. If the UseUnsafeHeaderParsing property is set to true, validation errors are ignored.

Setting this property to true has security implications, so it should only be done if backward compatibility with a server is required.

Let's keep an eye out for this option when it's set either programmatically or through web.config.


<configuration>
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing=”true” />
</settings>
</system.net>
</configuration>

]]> http://www.casaba.com/blog/2008/06/useunsafeheaderparsing-what/feed/ 0