Why do I get "The server committed a protocol violation"?

[Guest]

I have an application that is making an HTTP request with
HttpWebRequest.GetRequest. Unless I set 'httpWebRequest
useUnsafeHeaderParsing="true"' in the web.config, I get a
'The server committed a protocol violation. Section=ResponseStatusLine' error.

Here is an example of the session that generates the error:

--- snip ---
GET <someURL> HTTP/1.0

Host: <host>:<port>

Connection: Keep-Alive



HTTP/1.0 200 OK
Server: III 100
MIME-version: 1.0
Date: Tue, 13 Jan 1970 21:58:08 GMT
Expires: Wed, 19 Jul 2006 16:07:48 GMT
Content-Type: text/html; charset=UTF-8

<HTML><BODY>
RETCOD=0<BR>
</BODY></HTML>
--- snip ---

What is it about those headers in the HTTP response that is unsafe? Is it
the wacky date, or something more subtle?

 

[Steven Cheng[MSFT]]

Hello Scott,

Thank you for posting in the MSDN newsgroup.

From your description, you're using the HttpWebRequest component to send
some http request to some external web resource in your ASP.NET web
application. However, you're always getting the "The server committed a
protocol violation. Section=ResponseStatusLine" error unless you set the
following section in the web.config file:

==========
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing="true" />
</settings>
</system.net>
==========

and you're wondering the cause of this behavior ,correct?

As for this issue, I've performed some research on this and found that the
problem is actually caused by the critical http header parsing/validating
of the HttpWebRequest component. According to the Http
Specification(http1.1), the HTTP header keys shoud specifically not include
any spaces in their names. However, some web servers do not fully respect
standards they're meant to. Applications running on the Dotnet framework
and making heavy use of http requests usually use the httpWebRequest class,
which encapsulates everything a web oriented developer could dream of. With
all the recently issues related to security, the "httpWebRequest" class
provides a self protection mechanism preventing it to accept HTTP answers
which not fully qualify to the specifications.

The common case is having a space in the "content-length" header key. The
server actually returns a "content length" key, which, assuming no spaces
are allowed, is considered as an attack vector (HTTP response split
attack), thus, triggering a "HTTP protocol violation error" exception.


And it is possible since the 1.1 SP 1 DotNet version to disable this error
check. Fortunately, DotNet allows you to modify some parameters directly
through a simple text configuration file . and that's just the setting
you mentioned ealier in your message.

<configuration>
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing="true" />
</settings>
</system.net>
</configuration>

Hope this helps clarify this problem some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take approximately
2 business days

as the support professional working with you may need further investigation
to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Cheng[MSFT]]

#How to: Configure Network Tracing
http://msdn2.microsoft.com/en-us/library/ty48b824.aspx

#Interpreting Network Tracing

 

[Steven Cheng[MSFT]]

Hello Scott,

Just forget to mention that if you're developing under .net framework 2.0,
you can utilize the new Network Tracing feature to trace the processing in
those network components such as the classes in System.Net namespace. This
would be helpful for intercepting network component's communication:


#How to: Configure Network Tracing
http://msdn2.microsoft.com/en-us/library/ty48b824.aspx

#Interpreting Network Tracing
http://msdn2.microsoft.com/en-us/library/46fcs6sz.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[edudfla]

KeepAlive.

Hi.
I had the same issue when trying to connect through a proxy.
Reseting KeepAlive attribute from HttpWebRequest (changing it to false) solved the problem.

 

[keif]

Hi all,
it seems that this is also a problem when trying to post to a web server that returns pure text. I was trying to do a native SOAP call to an apache web server. The server actually answered the call, but was just producing mumbo-jumbo text, or so it seemed. It turned out that I was using a port used for JAVA RMI... *sigh* Anyway, since the server returned pure text, there were no header, thereof the message.

I hope this helps someone.