Hello,
We are facing the below issues and so the requests are blocked by Web Application Firewall(Imperva Secure Sphere Firewall).
1. Extremely Long Parameter HTTP/1.x Protocol Policy - Grid_clientState parameter value Part Size : 5132 Limit : 4096 Truncated
2: ../../ Found In : post-parameters Offset : 1022 Dictionary Name
Kindly let us know the solution to proceed further.
Thanks in Advance
Thank you for your question.
To be honest this is the first time I hear about such a problem. I assume this might be related to the ViewState of the grid or page, which means that it should be cleared out at some point. I did a quick check with the official ASP.NET View State article, and they are only mentioning clearing a view state when persisting it manually:
"The second challenge arises because, each time a user visits a different page, a new file holding that page's view state will be created. Over time this will lead to thousands of files. Some sort of automated task would be needed to periodically clean out the view state files older than a certain date. I leave this as an exercise for the reader."
For the second issue, the PFA screenshot
../../ Found In : post-parameters Offset : 1022 Dictionary Name
Kindly help us to resolve the issue
Hi,
We have managed to get rid of ../ symbols by updating the infragistics.web config section in the Web.config file by providing the absolute path instead of relative path in styleSetPath Except for WebDataTree control
<infragistics.web styleSetName="Default" styleSetPath="http://<domainname>/eFACiLiTY_Dev_Latest/ig_res" />
For View State Issue, When setting EnableAjaxViewState and EnableDataViewState properties as false on the Grid, the existing functionalities of Grid such as Editor Providers assigned to columns are not appearing in the Grid. We are binding DataSet to the grid server side.
Please find the attached screenshot for WebDataTree containing ../ in "res" parameter.
Hi there, I believe Hristo suggested to set EnableAjaxViewState and EnableDataViewState to true. Could you please try setting them to true and see what would be the result? Also, each ASP control supports enabling ViewState individually and setting client IDs as well - you can go ahead and enable it to the desired controls.
Hello, We are already using EnableAjaxViewState and EnableDataViewState to true for the webdatagrid control.
As suggested by Hristo, we have disabled them and Ediitorproviders were not loaded in the Grid.
By default, ViewState is enabled for all controls and we are not setting the ViewState to false for any of the controls.
Kindly let us know on the below for Directory Traversal Issue.
“../” is not changed even after moving ig_res folder to the directory where the page resides for one particular post variable “res”.
Please find the attached screenshot for reference.
Changes made in the code:
Reflection in Response:
The inference is that “../” in res variable in the response is not for StyleSetPath and is used for some other purpose. Image paths are not shown in the control if the images are within the folder itself.
What is the content that is getting accessed (requiring directory traversal) by this entry in the post value?
And is there a way that this directory traversal can be avoided, by using any relevant property for the control – similar to StyleSetPath property for WebDataTree control?
I am stuck with the firewall issues and unable to move forward. A quick response/resolution will be of great help.
Thanks in advance
Thank you
Kindly let us know the status of the above issue.
Did you had the chance to see my last reply?
"Can you please confirm that the suggestion worked and after disabling the ViewState the size limit error is no longer present? If that is the case and only the editor providers issue remain, then I can suggest you to re-create the editor providers dynamically on every postback - provind some configuration code would be highly appreciated.
About the ig_res path, coud you please elaborate what exactly is the problem? The ig_res folder contains all styles for the IG controls, each style will have a sub-folder for its image. If you want to separate the images folder from ig_red, taht wount be possible. The <infragistics.web> tag do not provide aproperty to set the path for the images folder separately.
Could you please keep in mind that this Imperva firewall tool that you are using might be configured for a strict rules that we do not comply with, which means that you might consider performing some changes there as well in order to pass these checks or at least soften them.
Also, could you please share the exact version of our product that you are using?"