Today, I am pleased to bring you a guest posting from one of my colleagues, Daisuke Maki, Escalation Engineer for Web Developer technologies in Microsoft Japan. In fact this is the English translation of Daisuke’s original posting in Japanese which is available here.
“For security reasons, ASP.NET (1.1 and 2.0) limited the maximum length of User-Agent strings to 256 characters. We have released fixes that ASP.NET recognize User-Agent strings that contain as many as 512 characters. ASP.NET 1.1 - Knowledge Base Article FIX: You cannot browse an ASP.NET 1.1 Web site if the User-Agent string that is in the browser contains more than 256 characters http://support.microsoft.com/kb/974762/en-us - Hotfix packages Version: System.Web.dll >= 1.1.4322.2456 Please contact to Microsoft Support to get the package. - Symptom When ASP 1.1 receives a request with a User-Agent string exceeding 256 characters, ASP.NET 1.1 can’t recognize the browser and Request.Browser.Browser is “Unkown”. Then ASP.NET renders the page for a lowest functional browser (e.g. JavaScript for Client-Side validation is not rendered). As a result the content of the Web site may not render correctly. - Repro Steps 1) Put the following file as “test.aspx” UA:<% = Request.UserAgent %><BR> Browser:<% = Request.Browser.Browser %><BR> <form id="Form1" runat="server"> <asp:TextBox id="TextBox1" runat="server" ForeColor="Lime" BackColor=”Red”></asp:TextBox> </form> 2) Add the following registry value to client computer. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform Test REG_SZ (long string. For example 0123456789012345……) 3) Access the page. You can find that Request.Browser.Browser is “Unknown” and the ForeColor and BackColor of TextBox1 are lost. - Workaround Add the following browsercaps element to the application’s web.config. This setting means “if UserAgent.Length > 256 then the browser is IE6” <browserCaps> <filter> <case match="^$"> browser=IE version=6.0 majorversion=6 minorversion=0 win32=true platform=WinXP frames=true tables=true cookies=true backgroundsounds=true vbscript=true javascript=true javaapplets=true activexcontrols=true tagwriter=System.Web.UI.HtmlTextWriter ecmascriptversion=1.2 msdomversion=6.0 w3cdomversion=1.0 css1=true css2=true xml=true isMobileDevice="false"</case> </filter> </browserCaps> ASP.NET 2.0 - Knowledge Base Article FIX: You may not successfully browse an ASP.NET Web site if the User-Agent string contains more than 256 characters http://support.microsoft.com/kb/962204/en-us - Hotfix packages For Windows 2000, XP, 2003 Version: System.Web.dll >= 2.0.50727.4028 URL: http://code.msdn.microsoft.com/KB969612 for Windows Vista, 7, 2008 Version: System.Web.dll >= 2.0.50727.4013 URL: http://code.msdn.microsoft.com/KB967535 - Symptom When ASP 2.0 receives a request with a User-Agent string exceeding 256 characters, ASP.NET 2.0 truncated the string at 256 characters. After that, some information that is contained in the string may become invalid. As a result, the page may raise an error. - Repro Steps 1) Put the following file as “test.aspx” UA:<% = Request.UserAgent %><BR> ClrVer:<% = Request.Browser.ClrVersion %> 2) Access the page using Request Builder of Fiddler2 (https://www.fiddler2.com/fiddler2/). Please set its Use-Agent as; Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YTB720; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; YJSG3) NOTE: ASP.NET truncate this string as “Mozilla/4.0 …. .NET CLR 3”. ASP.NET can’t read ClrVersion from “.NET CLR 3” 3) You can see an error with a stack trace similar to the following: [ArgumentException: Version string portion was too short or too long.] System.Version..ctor(String version) + 7477288 System.Web.Configuration.HttpCapabilitiesBase.GetClrVersions() +376 System.Web.Configuration.HttpCapabilitiesBase.get_ClrVersion() +7 - Workaround None.”
“For security reasons, ASP.NET (1.1 and 2.0) limited the maximum length of User-Agent strings to 256 characters. We have released fixes that ASP.NET recognize User-Agent strings that contain as many as 512 characters.
- Knowledge Base Article
FIX: You cannot browse an ASP.NET 1.1 Web site if the User-Agent string that is in the browser contains more than 256 characters http://support.microsoft.com/kb/974762/en-us
- Hotfix packages
Version: System.Web.dll >= 1.1.4322.2456
Please contact to Microsoft Support to get the package.
- Symptom
When ASP 1.1 receives a request with a User-Agent string exceeding 256 characters, ASP.NET 1.1 can’t recognize the browser and Request.Browser.Browser is “Unkown”. Then ASP.NET renders the page for a lowest functional browser (e.g. JavaScript for Client-Side validation is not rendered). As a result the content of the Web site may not render correctly.
- Repro Steps
1) Put the following file as “test.aspx”
UA:<% = Request.UserAgent %><BR> Browser:<% = Request.Browser.Browser %><BR>
<form id="Form1" runat="server"> <asp:TextBox id="TextBox1" runat="server" ForeColor="Lime" BackColor=”Red”></asp:TextBox> </form>
2) Add the following registry value to client computer. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform Test REG_SZ (long string. For example 0123456789012345……)
3) Access the page. You can find that Request.Browser.Browser is “Unknown” and the ForeColor and BackColor of TextBox1 are lost.
- Workaround
Add the following browsercaps element to the application’s web.config. This setting means “if UserAgent.Length > 256 then the browser is IE6”
<browserCaps> <filter> <case match="^$"> browser=IE version=6.0 majorversion=6 minorversion=0 win32=true platform=WinXP frames=true tables=true cookies=true backgroundsounds=true vbscript=true javascript=true javaapplets=true activexcontrols=true tagwriter=System.Web.UI.HtmlTextWriter ecmascriptversion=1.2 msdomversion=6.0 w3cdomversion=1.0 css1=true css2=true xml=true isMobileDevice="false"</case> </filter> </browserCaps>
FIX: You may not successfully browse an ASP.NET Web site if the User-Agent string contains more than 256 characters http://support.microsoft.com/kb/962204/en-us
For Windows 2000, XP, 2003
Version: System.Web.dll >= 2.0.50727.4028
URL: http://code.msdn.microsoft.com/KB969612
for Windows Vista, 7, 2008
Version: System.Web.dll >= 2.0.50727.4013
URL: http://code.msdn.microsoft.com/KB967535
When ASP 2.0 receives a request with a User-Agent string exceeding 256 characters, ASP.NET 2.0 truncated the string at 256 characters. After that, some information that is contained in the string may become invalid. As a result, the page may raise an error.
UA:<% = Request.UserAgent %><BR> ClrVer:<% = Request.Browser.ClrVersion %>
2) Access the page using Request Builder of Fiddler2 (https://www.fiddler2.com/fiddler2/). Please set its Use-Agent as;
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YTB720; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; YJSG3) NOTE: ASP.NET truncate this string as “Mozilla/4.0 …. .NET CLR 3”. ASP.NET can’t read ClrVersion from “.NET CLR 3”
3) You can see an error with a stack trace similar to the following:
[ArgumentException: Version string portion was too short or too long.] System.Version..ctor(String version) + 7477288 System.Web.Configuration.HttpCapabilitiesBase.GetClrVersions() +376 System.Web.Configuration.HttpCapabilitiesBase.get_ClrVersion() +7
None.”
Thank you Daisuke!
One further note. When we were looking into this issue I did some parsing of IIS logs for a public facing web site I look after. From that I found that only a fairly small proportion of requests show a User-Agent string exceeding 256 and a miniscule proportion (about 1 or 2 in 10000 if I recall correctly) exceeding 512. Most cases of very large User-Agent strings were where this field was being (arguably inappropriately) overloaded for other purposes.
HTH
Doug