How to set useUnsafeHeaderParsing in code
37,538
Solution 1
You need to set this is in your web.config, inside <system.net> section, like this:
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing="true" />
</settings>
</system.net>
If, for some reason, you do not want to do it from your config, you could do it from code by prgrammatically setting your config settings. See this page for an example.
Solution 2
As Edwin has pointed out you need to set the useUnsafeHeaderParsing attribute in your web.config or app.config file. If you really want to change the value dynamically at runtime, then you'll have to resort to reflection as the value is buried in an instance of System.Net.Configuration.SettingsSectionInternal and not publicly accessible.
Here is a code example (based on the info found here) that does the trick:
using System;
using System.Net;
using System.Net.Configuration;
using System.Reflection;
namespace UnsafeHeaderParsingSample
{
class Program
{
static void Main()
{
// Enable UseUnsafeHeaderParsing
if (!ToggleAllowUnsafeHeaderParsing(true))
{
// Couldn't set flag. Log the fact, throw an exception or whatever.
}
// This request will now allow unsafe header parsing, i.e. GetResponse won't throw an exception.
var request = (HttpWebRequest) WebRequest.Create("http://localhost:8000");
var response = request.GetResponse();
// Disable UseUnsafeHeaderParsing
if (!ToggleAllowUnsafeHeaderParsing(false))
{
// Couldn't change flag. Log the fact, throw an exception or whatever.
}
// This request won't allow unsafe header parsing, i.e. GetResponse will throw an exception.
var strictHeaderRequest = (HttpWebRequest)WebRequest.Create("http://localhost:8000");
var strictResponse = strictHeaderRequest.GetResponse();
}
// Enable/disable useUnsafeHeaderParsing.
// See http://o2platform.wordpress.com/2010/10/20/dealing-with-the-server-committed-a-protocol-violation-sectionresponsestatusline/
public static bool ToggleAllowUnsafeHeaderParsing(bool enable)
{
//Get the assembly that contains the internal class
Assembly assembly = Assembly.GetAssembly(typeof(SettingsSection));
if (assembly != null)
{
//Use the assembly in order to get the internal type for the internal class
Type settingsSectionType = assembly.GetType("System.Net.Configuration.SettingsSectionInternal");
if (settingsSectionType != null)
{
//Use the internal static property to get an instance of the internal settings class.
//If the static instance isn't created already invoking the property will create it for us.
object anInstance = settingsSectionType.InvokeMember("Section",
BindingFlags.Static | BindingFlags.GetProperty | BindingFlags.NonPublic, null, null, new object[] { });
if (anInstance != null)
{
//Locate the private bool field that tells the framework if unsafe header parsing is allowed
FieldInfo aUseUnsafeHeaderParsing = settingsSectionType.GetField("useUnsafeHeaderParsing", BindingFlags.NonPublic | BindingFlags.Instance);
if (aUseUnsafeHeaderParsing != null)
{
aUseUnsafeHeaderParsing.SetValue(anInstance, enable);
return true;
}
}
}
}
return false;
}
}
}
Solution 3
If you did't want use Reflection, you can try this code (System.Configuration.dll reference):
using System.Configuration;
using System.Net.Configuration;
var config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
var settings = (SettingsSection)config.GetSection("system.net/settings");
settings.HttpWebRequest.UseUnsafeHeaderParsing = true;
config.Save(ConfigurationSaveMode.Modified);
ConfigurationManager.RefreshSection("system.net/settings");
Comments
-
Barka about 4 years
I am getting the following exception:
The server committed a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF
From this question:
I understand that I need to set useUnsafeHeaderParsing to True.
Here is my code:
HttpWebRequest myReq = (HttpWebRequest)WebRequest.Create(url); WebResponse myResp = myReq.GetResponse(); //exception is thrown hereuseUnsafeHeaderParsing is a property of HttpWebRequestElement class.
How do I integrate it in the above code?
-
TheMuyu over 9 yearshow this code add to "app.config" in c# webform application ?
-
Kiquenet about 6 yearsI usehttpClient.PostAsync. I get ServerProtocolViolation Error. I setuseUnsafeHeaderParsingto true. Now I get ArgumetOutOfRangeException:System.Net.Http.HttpResponseMessage..ctor(HttpStatusCode statusCode) -
cubesnyc over 5 yearsI attempted this solution with a c# 7.1 console app, adding it to app.config, but it did not resolve the issue. Any idea why?
-
alekop about 4 yearsIs this change permanent, or does it only apply to the current request?
-
TheNerdyNerd over 3 yearsThanks for this helped our scenario where we have called plugins not a full app where we do not have config files.
-
pwrgreg007 about 3 yearsI added this to a .Net Framework application some time ago, and it works. We're switching that app to .Net Standard 2.1, and System.Net.dll is not supported. Has anyone tried to solve this problem for a .Net Standard or .Net Core application? -
j4jada over 2 yearsIs there a way to do the same in .Net core or how do i deal with some unsafe headers returned by a server in .Net Core? -
Michael about 2 yearsWow, finding this answer after reading about this link. Never expected this might still be required by someone in framework 4.8. Though it does help to address the issue asked, so fair enough. But one "but", about the paragraph in the docslink: Setting this property to true has security implications, so it should only be done if backward compatibility with a server is required. I'm curious what would be the best next thing in this case!
