"Too many errors occured while downloading files...&quo

[cpdaniel]

This morning after checking in several dozen files on my dev machine, I went to my build machine and did a Get Latest (from the Vault 2.0.6 client) only to receive the error mentioned in the subject. As near as I can tell, 0 files were successfully gotten from the server.

What's going on? Where will I find a listing of the alleged errors that were too numerous to continue?

[cpdaniel]

Follow-up. After quitting the Vault Client (which had just been started) and starting it again, everything's back to normal.

One possibility, in case it rings a bell, is that there might have been two vault clients running on this machine, connected to the same repository, but probably accessing different sub-direcctories. I can't tell if that was really the case, but it's possible so I thought I'd mention it.

While everything's back to normal, I'd still like to know where I can find the too numerous errors - I assume they are logged somewhere...

[jclausius]

cd:

Check your server's sgvault.log. If there were any errors after the files were transferred, the server would log any problems it encountered in there.

[cpdaniel]

Right about the right time in the server log there's a cluster of messages identical to this one:

----10/22/2004 9:52:15 AM cdaniel--cbbdev.calnet.com(127.0.0.1)--SSL Disabled
A potentially dangerous Request.Cookies value was detected from the client (_authHdr="...cR4QH6j0y7oNlKDdrBPsPA==").

After I had the errors the first time, I cycled the ASP.NET worker process (which I see in the log), and then there's another cluster of those error messages. Then I cycled the Vault client and everything was OK.

Anything for me to worry about?

[jclausius]

Carl:

Is this an error you just encountered? If so, have you installed URL scan, IIS lockdown or other tools installed on the Vault server? What about installations of Sharepoint, .Net 2.0 Beta?

------------------------

Others .Net users (non-Vault apps) have posted this error message. Here is a suggestion from Microsoft:

Double check the client's Network settings. The server should be a trusted server, and check the privacy / cookie settings are allowed from the Vault server

Source: http://groups.google.com/groups?hl=en&l ... 26rnum%3D9

---------------

Another posting suggests adding ValidateRequest="false" to the <%@Page language="c#" Codebehind="VaultFileDownload.aspx.cs" ... %> in VaultFileDownload.aspx

Source:
http://dotnetjunkies.com/WebLog/warstar ... /9554.aspx

---------------

I'm not willing to make any recommendations until we know more about the security settings for IE on the build machine, and any Vault server changes which may have affected the settings for Vault's web.config.

[cpdaniel]

I only saw this error the one time. As far as I know no changes have been made to the machine (in this case, the client was in fact running on the server machine itself). If I learn any more about changes to the machine configuration, I'll post again.

[jclausius]

If you scan any other sgvault.log(s), are there any other instances of this error?

[cpdaniel]

No other ocurrences logged either before or after the one time I saw it.

I'm still researching, but so far I haven't found any evidence of anything having been installed or changed on the server.

[jclausius]

Carl:

This is a strange error, which is being generated by the .Net framework. There's not too much information I can find related to the error except some people suggest it is related to the user's security settings and the IIS server.

Has the problem subsided?

[cpdaniel]

It just happend the one time. In all my investigations, I was unable to identify anything that changed in the server configuration to either cause or cure the problem. I'll just have to keep my eyes open - thanks for the help.

I'm a Microsoft MVP - I'll see if I can find out anything about this error through my MVP contacts.

[jclausius]

I'm a Microsoft MVP

Hello "-cd".

If I'm not mistaken, I believe I've seen your postings in the ms.public.dotnet.languages.csharp newsgroup.

[cpdaniel]

One or two perhaps. I'm a C++ MVP, but occasionally there's something cross-posted. Ironically, I do nearly all of my work in C#, but C++ is still my "mother tongue".

[cpdaniel]

I did find some information on this exception: HttpRequestValidationException, raised from HttpRequest.ValidateString.

The code that raises it checks for various patterns, and it's called with each of the key/value pairs in Request.Cookies one at a time. The check tries to identify strings that might be cross-site scripting attacks.

In this case, the __authHdr cookie had the value

Code: Select all

...cR4QH6j0y7oNlKDdrBPsPA==

Clearly it's something that's been Base64 encoded. Looking about half way through the snippet of string, there's something that matches the pattern:

Code: Select all

oN[a-zA-Z]*=

which trips up the request validator into thinking that this cookie contains an expression like onClick=someHack().

It looks to me like this is a bug in ASP.NET's System.Web.CrossSiteScriptingValidation.IsDangerousString() that will cause certain legal cookie values to be rejected because they're similar enough to an HTML event handler definition to fool the validator. Any BASE64 encoded string would be vulnerable - it just needs the right combination of bit patterns in it.

This check can be turned off by setting validateRequest=false in the Page directive or in the <pages> configuration section.

[jclausius]

This check can be turned off by setting validateRequest=false in the Page directive or in the <pages> configuration section.

Another posting suggests adding ValidateRequest="false" to the <%@Page language="c#" Codebehind="VaultFileDownload.aspx.cs" ... %> in VaultFileDownload.aspx

This posting must have been on target. The posting goes on to say the framework changed the default behavior. I'll create a investigation request to look at this problem.

Thanks for your help.

[cpdaniel]

The change in default happened with the switch from .NET 1.0 to .NET 1.1.

It's just an unlikely enough scenario that it's taken this long for a occurrence or two to surface. Of course it's possible that other factors have caused a cookie matching the on[a-z]*= pattern to appear other than pure chance.