QD Feed Parser and HttpWebRequest
In case you're unfamiliar with how
works in .NET 1.1 SP1 and up,
here's the run-down
When presented with [an invalid] response, the SP1 version of HttpWebRequest [will fail.] As you can see, the client application will raise an exception but the server is really at fault here and should be fixed. The client only protect itself
by refusing a non-conformant, potentially dangerous response.
By default, if you query a feed with invalid headers, like the
Hacker News RSS feed
, QDFeedParser will raise a
despite the fact that the feed looks ostensibly valid.
Enable "useUnsafeHeaderParsing" Programmatically via HttpFeedFactory
Suppose you want to live dangerously and parse feeds with unsafe HTTP headers. That's fine - built into the
class is a static method which you can use to set your application's "useUnsafeHeaderParsing" value to true or false programmatically at run-time. Here's what that looks like:
//Unsafe HTTP header parsing is now active throughout your application
//The method was unable to enable unsafe HTTP header parsing - usually due to an issue with accessing your application's configuration values
Bear in mind that what you're doing amounts to disabling a security feature throughout your entire AppDomain.
useUnsafeHeaderParsing cannot be set to true on a per-request basis - once the configuration value is modified it will propagate throughout
your entire applicaiton, so other parts of your application which handle HttpWebRequests might be vulnerable to HTTP split response attacks. Therefore it is my recommendation that you
use this feature sparingly
If you'd like to learn more about my reasoning for including this feature in the project, check out
Programmer's Dilemma: Baby-Proofing vs. Giving Guns to Monkeys