[Mono-bugs] [Bug 77778][Nor] New - MS/Mono incompatibility in System.Web.HttpRequest

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Mon Mar 13 16:23:04 EST 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by nede at aliquant.com.


--- shadow/77778	2006-03-13 16:23:04.000000000 -0500
+++ shadow/77778.tmp.1961	2006-03-13 16:23:04.000000000 -0500
@@ -0,0 +1,48 @@
+Bug#: 77778
+Product: Mono: Class Libraries
+Version: 1.1
+OS: All
+OS Details: Fedora Core 4
+Status: NEW   
+Priority: Normal
+Component: Sys.Web
+AssignedTo: gonzalo at ximian.com                            
+ReportedBy: nede at aliquant.com               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: MS/Mono incompatibility in System.Web.HttpRequest
+Description of Problem:
+The input validation that occurs in the CheckString method in
+HttpRequest.cs is far more strict than Microsoft's.  In this case, I would
+tend to say that Mono's validation is safer, but it is excessive.  After
+extensive testing, here is the regular expression that matches the logic
+used in MS's version: "<[a-zA-Z\\!]+"
+Steps to reproduce the problem:
+Serve the attached ASPX on Mono and Microsoft .NET.  You will notice that
+all of the buttons labeled "Valid" work in .NET but not in Mono.  The two
+marked "Not Valid" should not work in either implementation.
+Actual Results:
+Mono throws the "A potentially dangerous Request.Form value was detected
+from the client" exception when any of the buttons are clicked.
+Expected Results:
+The "A potentially dangerous Request.Form value was detected from the
+client" exception should only be thrown for the last two example buttons.
+How often does this happen? 
+Every time.
+Additional Information:
+Using Mono 1.1.13-4.

More information about the mono-bugs mailing list