QD Feed Parser and HttpWebRequest

In case you're unfamiliar with how HttpWebRequest works in .NET 1.1 SP1 and up, here's the run-down:

When presented with [an invalid] response, the SP1 version of HttpWebRequest [will fail.] As you can see, the client application will raise an exception but the server is really at fault here and should be fixed. The client only protect itself by refusing a non-conformant, potentially dangerous response.
By default, if you query a feed with invalid headers, like the Hacker News RSS feed, QDFeedParser will raise a System.WebException despite the fact that the feed looks ostensibly valid.

Enable "useUnsafeHeaderParsing" Programmatically via HttpFeedFactory

Suppose you want to live dangerously and parse feeds with unsafe HTTP headers. That's fine - built into the HttpFeedFactory class is a static method which you can use to set your application's "useUnsafeHeaderParsing" value to true or false programmatically at run-time. Here's what that looks like:

 //Unsafe HTTP header parsing is now active throughout your application
 //The method was unable to enable unsafe HTTP header parsing - usually due to an issue with accessing your application's configuration values

Bear in mind that what you're doing amounts to disabling a security feature throughout your entire AppDomain. useUnsafeHeaderParsing cannot be set to true on a per-request basis - once the configuration value is modified it will propagate throughout your entire applicaiton, so other parts of your application which handle HttpWebRequests might be vulnerable to HTTP split response attacks. Therefore it is my recommendation that you use this feature sparingly.

If you'd like to learn more about my reasoning for including this feature in the project, check out Programmer's Dilemma: Baby-Proofing vs. Giving Guns to Monkeys.

Last edited Jun 30, 2010 at 6:10 PM by Aaronontheweb, version 3


No comments yet.