Bug 7104 - BindingList documentation query results in security violation
Summary: BindingList documentation query results in security violation
Status: RESOLVED FIXED
Alias: None
Product: Documentation
Classification: Xamarin
Component: Multi-Platform ()
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: Jérémie Laval
URL:
Depends on:
Blocks:
 
Reported: 2012-09-12 12:50 UTC by bugzilla.jrpetit
Modified: 2012-11-15 11:35 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description bugzilla.jrpetit 2012-09-12 12:50:25 UTC
1) go to http://docs.go-mono.com/

2) in the search field, type BindingList

3) from the search results click: BindingList Class (System.ComponentModel.BindingList)

4) Result:

Server Error in '/' Application

A potentially dangerous Request.QueryString value was detected from the client (link="T:System.Compon...").

Description: HTTP 500. Request validation detected a potentially dangerous input value from the client and aborted the request. This might be an attemp of using cross-site scripting to compromise the security of your site. You can disable request validation using the 'validateRequest=false' attribute in your page or setting it in your machine.config or web.config configuration files. If you disable it, you're encouraged to properly check the input values you get from the client.<br>
You can get more information on input validation <a href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">here</a>.

Stack Trace:

System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (link="T:System.Compon...").
  at System.Web.HttpRequest.ThrowValidationException (System.String name, System.String key, System.String value) [0x00000] in <filename unknown>:0 
  at System.Web.HttpRequest.ValidateNameValueCollection (System.String name, System.Collections.Specialized.NameValueCollection coll, RequestValidationSource source) [0x00000] in <filename unknown>:0 
  at System.Web.HttpRequest.get_QueryString () [0x00000] in <filename unknown>:0 
  at System.Web.HttpRequest.get_Params () [0x00000] in <filename unknown>:0 
  at Mono.Website.Handlers.MonodocHandler.System.Web.IHttpHandler.ProcessRequest (System.Web.HttpContext context) [0x00000] in <filename unknown>:0 
  at System.Web.HttpApplication+<Pipeline>c__Iterator3.MoveNext () [0x00000] in <filename unknown>:0 
  at System.Web.HttpApplication.Tick () [0x00000] in <filename unknown>:0 
Version information: Mono Runtime Version: 2.10.8.1 (mono_2_10/28f09f8 Fri Mar 23 17:03:39 UTC 2012); ASP.NET Version: 4.0.30319.1
Comment 1 Darren Cook 2012-10-16 22:16:04 UTC
Document for classes with a < or > in the name are triggering this.
E.g. search for "OrderBy", then choose, say, the 3rd suggestion:

http://docs.go-mono.com/?link=T%3aSystem.Linq.Enumerable%2fM%2fOrderBy%3CTSource%2cTKey%3E

I don't know how to get around this to view those docs, so I think (in the context of documentation, not the whole Mono project) this is a Severe bug.
Comment 2 Jérémie Laval 2012-11-15 11:35:10 UTC
Hi,

This was fixed and shouldn't happen anymore. Thanks for the report.